网络安全/top10漏洞/任意文件下载
危害
可以下载服务器上的任意文件,包括一些敏感的配置文件和系统文件,例如:数据库的配置文件中会有数据库的账号密码端口等信息,linux服务器在/etc/passwd文件中存放了用户的账号密码
如何发现
在网站一些可以提供下载功能的位置,或是在url中看到:
download.php?file=...
download.php?filename...
...类似于以上的这种形式
如何防护
- 过滤. 让攻击者无法通过../的方式进行目录穿透从而下载到一些敏感的配置文件
- 使用严格的正则匹配
以上两种的共性就是url种的参数进行严格的过滤
- 在php.ini配置文件,配置open_basedir来限制文件访问范围
open_basedir='C:\www\hibugs'以上的配置中就能够限制访问范围为hibugs该目录,不能穿透到www目录
8人评论了“任意文件下载”
matadorbet porn
child porn
child porn
In addition, 5 hmC levels were shown to correlate with differentiation status, with higher levels when more differentiated 29 priligy india Her adoptive father Morris Chestnut tries to get mousy Mindy to mix with normal girls at school for this, read Mean Girls style horrors and when a blonde cheerleader type asks her, Don t you want to walk out of your house in skin tight clothing, like a strong, independent woman
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
deneme bonusu veren siteler
Burada verilen deneme bonusu siteleri çok iyi, takip etmenizi öneririm.