• <span id="bvgyx"></span>
    <optgroup id="bvgyx"></optgroup>
  • 網站搭建需要多少錢-免費seo網站推廣怎么做-免費400電話怎么申請開通!
    全國咨詢熱線:13313028229
    當前位置:首頁>>新聞資訊

    上傳的地方無任何身份驗證,

    網址:www.hqbet9599.com時間:2024-01-22 16:33:06(部分內容來源于網絡,不代表本站觀點)

    一類是上傳的地方無任何身份驗證,而且可以直接上傳木馬。
    One type is that the uploaded location does not have any authentication and can be directly uploaded to a Trojan.
    一類是只是注冊一個賬戶就可以上傳的,然后上傳的地方也沒有做好過濾。
    One type is simply registering an account to upload, and the upload location is not properly filtered.
    一類是管理員后臺的認證上傳的。
    One type is uploaded through authentication in the administrator's backend.
    當然有的上傳可以直接上傳腳本木馬,有的經過一定的處理后才可以上傳腳本木馬。無論怎樣這是很多攻擊者都是通過上傳拿下網站的權限。
    Of course, some uploads can directly upload script trojans, while others can only upload script trojans after certain processing. Regardless, many attackers obtain website permissions by uploading.
    2.注入漏洞
    2. Injection vulnerability
    各種腳本的注入漏洞利用方法跟權限都有所差異。危險的可以直接威脅到服務器系統權限。普通的注入可以爆出數據庫里面的賬戶信息。從而得到管理員的密碼或其他有利用的資料。如果權限高點可以直接寫入webshell,讀取服務器的目錄文件,或者直接加管理賬戶,執行替換服務等等攻擊。
    The injection vulnerability exploitation methods and permissions of various scripts vary. Dangerous can directly threaten server system permissions. Ordinary injection can reveal account information in the database. To obtain the administrator's password or other useful information. If the permissions are high, you can directly write to the webshell, read the server's directory file, or directly add a management account, execute replacement services, and other attacks.
    3.中轉注入,也叫cookie中轉注入
    3. Relay injection, also known as cookie relay injection
    本來這個要歸于樓上那一類,但是我單自列出來了。有些程序本身或者外加的防注入程序都只是過濾了對參數的post或者get。而忽略了cookie。所以攻擊者只要中轉一下同樣可以達到注入的目的。
    Originally, this was supposed to belong to the upstairs category, but I listed it separately. Some programs themselves or additional anti injection programs only filter posts or gets for parameters. And ignored cookies. So the attacker can also achieve the purpose of injection by simply transitioning.
    4.數據庫寫入木馬
    4. Database Write Trojan
    也就是以前可能有些程序員認為mdb的數據庫容易被下載,就換成asp或者asa的。但是沒有想到這么一換,帶來了更大的安全隱患。這兩種格式都可以用迅雷下載到本地的。更可怕的是,攻擊者可以一些途徑提交一句話木馬,插入到數據庫來,然后用工具連接就獲得權限了。
    In the past, some programmers may have thought that mdb databases were easy to download, so they switched to ASP or asa. But I didn't expect such a change to bring greater safety hazards. Both formats can be downloaded locally using Thunderbolt. Even more terrifying is that attackers can submit a sentence to a Trojan horse through some means, insert it into the database, and then use tools to connect to obtain permissions.

    在線客服
    聯系方式

    咨詢熱線

    13313028229

    電話

    13313028229

    上班時間

    周一到周六8:30-5:00

    二維碼
    3751色院影院一区二区|久久伊人精品青青草原高清|亚洲色偷偷综合亚洲|91在线视精品在亚洲|色综合天天综合网国产

  • <span id="bvgyx"></span>
    <optgroup id="bvgyx"></optgroup>