网站搭建需要多少钱-免费seo网站推广怎么做-免费400电话怎么申请开通!
全国咨询热线:13313028229
当前位置:首页>>新闻资讯

上传的地方无任何身份验证,

网址:www.6ahm.com时间:2024-01-22 16:33:06(部分内容来源于网络,不代表本站观点)

一类是上传的地方无任何身份验证,而且可以直接上传木马。
One type is that the uploaded location does not have any authentication and can be directly uploaded to a Trojan.
一类是只是注册一个账户就可以上传的,然后上传的地方也没有做好过滤。
One type is simply registering an account to upload, and the upload location is not properly filtered.
一类是管理员后台的认证上传的。
One type is uploaded through authentication in the administrator's backend.
当然有的上传可以直接上传脚本木马,有的经过一定的处理后才可以上传脚本木马。无论怎样这是很多攻击者都是通过上传拿下网站的权限。
Of course, some uploads can directly upload script trojans, while others can only upload script trojans after certain processing. Regardless, many attackers obtain website permissions by uploading.
2.注入漏洞
2. Injection vulnerability
各种脚本的注入漏洞利用方法跟权限都有所差异。危险的可以直接威胁到服务器系统权限。普通的注入可以爆出数据库里面的账户信息。从而得到管理员的密码或其他有利用的资料。如果权限高点可以直接写入webshell,读取服务器的目录文件,或者直接加管理账户,执行替换服务等等攻击。
The injection vulnerability exploitation methods and permissions of various scripts vary. Dangerous can directly threaten server system permissions. Ordinary injection can reveal account information in the database. To obtain the administrator's password or other useful information. If the permissions are high, you can directly write to the webshell, read the server's directory file, or directly add a management account, execute replacement services, and other attacks.
3.中转注入,也叫cookie中转注入
3. Relay injection, also known as cookie relay injection
本来这个要归于楼上那一类,但是我单自列出来了。有些程序本身或者外加的防注入程序都只是过滤了对参数的post或者get。而忽略了cookie。所以攻击者只要中转一下同样可以达到注入的目的。
Originally, this was supposed to belong to the upstairs category, but I listed it separately. Some programs themselves or additional anti injection programs only filter posts or gets for parameters. And ignored cookies. So the attacker can also achieve the purpose of injection by simply transitioning.
4.数据库写入木马
4. Database Write Trojan
也就是以前可能有些程序员认为mdb的数据库容易被下载,就换成asp或者asa的。但是没有想到这么一换,带来了更大的安全隐患。这两种格式都可以用迅雷下载到本地的。更可怕的是,攻击者可以一些途径提交一句话木马,插入到数据库来,然后用工具连接就获得权限了。
In the past, some programmers may have thought that mdb databases were easy to download, so they switched to ASP or asa. But I didn't expect such a change to bring greater safety hazards. Both formats can be downloaded locally using Thunderbolt. Even more terrifying is that attackers can submit a sentence to a Trojan horse through some means, insert it into the database, and then use tools to connect to obtain permissions.

在线客服
联系方式

咨询热线

13313028229

电话

13230268999

上班时间

周一到周六8:30-5:00

二维码
线