PHP©¶´È«½â(Ïêϸ½éÉÜ)

Õe¶ÔPHPµÄÍøÕ¾Ö÷Òª´aeÔÚÏÂÃae¼¸ÖÖ¹¥»÷½Ê½:
1¡¢ÃuÁi×¢Èe(Command Injection)
2¡¢eval×¢Èe(Eval Injection)
3¡¢¿Í»§¶Ë½Å±¾¹¥»÷(Script Insertion)
4¡¢¿çÍøÕ¾½Å±¾¹¥»÷(Cross Site Scripting, XSS)
5¡¢SQL×¢Èe¹¥»÷(SQL injection)
6¡¢¿çÍøÕ¾ÇeÇoαÔi¹¥»÷(Cross Site Request Forgeries, CSRF)
7¡¢Session »a»°½Ù³Ö(Session Hijacking)
8¡¢Session ¹Ì¶¨¹¥»÷(Session Fixation)
9¡¢HTTPÏiÓ¦²ðÖ¹¥»÷(HTTP Response Splitting)
10¡¢ÎļþÉÏ´«Â(C)¶´(File Upload Attack)
11¡¢Ä¿Â¼´(C)Ô½Â(C)¶´(Directory Traversal)
12¡¢Ô¶³ÌÎļþ°uº¬¹¥»÷(Remote Inclusion)
13¡¢¶¯Ì¬º¯Êý×¢Èe¹¥»÷(Dynamic Variable Evaluation)
14¡¢URL¹¥»÷(URL attack)
15¡¢±iµ¥Ìa½»ÆÛÆ­¹¥»÷(Spoofed Form Submissions)
16¡¢HTTPÇeÇoÆÛÆ­¹¥»÷(Spoofed HTTP Requests)

ÃuÁi×¢Èe¹¥»÷
PHPÖпÉÒÔʹÓÃÏÂÁÐ5¸oº¯ÊýÀ´Ö´ÐÐÍa²¿µÄÓ¦ÓóÌÐo»oº¯Êý
system¡¢exec¡¢passthru¡¢shell_exec¡¢¡°(Óeshell_exec¹¦ÄÜÏaͬ)
º¯ÊýÔ­ÐÍ
string system(string command, int &return;_var)
command ÒªÖ´ÐеÄÃuÁi
return_var ´aeÅÖ´ÐÐÃuÁiµÄÖ´ÐкoµÄ״ֵ̬
string exec (string command, array &output;, int &return;_var)
command ÒªÖ´ÐеÄÃuÁi
output »ñµÃÖ´ÐÐÃuÁiÊa³oµÄÿһÐÐ×Öu´®
return_var ´aeÅÖ´ÐÐÃuÁiºoµÄ״ֵ̬
void passthru (string command, int &return;_var)
command ÒªÖ´ÐеÄÃuÁi
return_var ´aeÅÖ´ÐÐÃuÁiºoµÄ״ֵ̬
string shell_exec (string command)
command ÒªÖ´ÐеÄÃuÁi

Â(C)¶´ÊµÀý

Àý1:
//ex1.php
<?php
$dir = $_GET["dir"];
if (isset($dir))
{
echo "

";

system("ls -al ".$dir);

echo "

";
}
?>
ÎÒÃÇÌa½»http://www.sectop.com/ex1.php?dir=| cat /etc/passwd
Ìa½»ÒÔºo£¬ÃuÁi±a³ÉÁË system("ls -al | cat /etc/passwd");

eval×¢Èe¹¥»÷
evalº¯Êý½«ÊaÈeµÄ×Öu´®²ÎÊýµ±×÷PHP³ÌÐo´uÂeÀ´Ö´ÐÐ
º¯ÊýÔ­ÐÍ:
mixed eval(string code_str) //eval×¢ÈeÒ»°a¢ÉuÔÚ¹¥»÷ÕßÄÜ¿ØÖÆÊaÈeµÄ×Ö*u´®µÄʱºo
//ex2.php
<?php
$var = "var";
if (isset($_GET["arg"]))
{
$arg = $_GET["arg"];
eval("\$var = $arg;");
echo "\$var =".$var;
}
?>
µ±ÎÒÃÇÌa½» http://www.sectop.com/ex2.php?arg=phpinfo();Â(C)¶´¾Í²uÉuÁË

¶¯Ì¬º¯Êý
<?php
func A()
{
dosomething();
}
func B()
{
dosomething();
}
if (isset($_GET["func"]))
{
$myfunc = $_GET["func"];
echo $myfunc();
}
?>
³ÌÐoÔ±Ô­ÒaÊÇÏe¶¯Ì¬µ÷ÓÃAºÍBº¯Êý£¬ÄÇÎÒÃÇÌa½»http://www.sectop.com/ex.php?func=phpinfo Â(C)¶´²uÉu

À¶½¨
1¡¢¾¡Á¿²»ÒªÖ´ÐÐÍa²¿ÃuÁi
2¡¢Ê¹ÓÃ×Ô¶¨Òaº¯Êý»oº¯Êý¿aÀ´Ìae´uÍa²¿ÃuÁiµÄ¹¦ÄÜ
3¡¢Ê¹ÓÃescapeshellargº¯ÊýÀ´´¦ÀiÃuÁi²ÎÊý
4¡¢Ê¹ÓÃsafe_mode_exec_dirÖ¸¶¨¿ÉÖ´ÐÐÎļþµÄ¾¶
esacpeshellargº¯Êý»a½«ÈκÎÒýÆð²ÎÊý»oÃuÁi½aÊøµÄ×ÖuתÒa£¬µ¥ÒýºÅ¡°'¡±£¬Ìae»»³É¡°\'¡±£¬Ë«ÒýºÅ¡°"¡±£¬Ìae»»³É¡°\"¡±£¬ÖºÅ¡°;¡±Ìae»»³É¡°\;¡±
ÓÃsafe_mode_exec_dirÖ¸¶¨¿ÉÖ´ÐÐÎļþµÄ¾¶£¬¿ÉÒÔ°Ñ»aʹÓõÄÃuÁiÌaÇ°ÅÈe´Ë¾¶ÄÚ
safe_mode = On
safe_mode_exec_di r= /usr/local/php/bin/

¿Í»§¶Ë½Å±¾Ö²Èe

¿Í»§¶Ë½Å±¾Ö²Èe(Script Insertion)£¬ÊÇÖ¸½«¿ÉÒÔÖ´ÐеĽű¾²aÈeµ½±iµ¥¡¢Í¼Æ¬¡¢¶¯»­»o³¬Á´½ÓÎÄ×ֵȶÔÏoÄÚ¡£µ±Óû§´o¿ªÕaÐ(C)¶ÔÏoºo£¬¹¥»÷ÕßËuÖ²ÈeµÄ½Å±¾¾Í»a±»Ö´ÐУ¬½ø¶ø¿ªÊ¼¹¥»÷¡£
¿ÉÒÔ±»ÓÃ×÷½Å±¾Ö²ÈeµÄHTML±eÇ(C)Ò»°a°uÀ¨ÒÔϼ¸ÖÖ:
1¡¢ ÎÞÏÞµ¯¿o
²aÈe ÌøתµoÓaÒ³Ãae
»oÕßʹÓÃÆaËu×ÔÐй¹ÔiµÄjs´uÂe½øÐй¥»÷

À¶µÄ½¨
Ò»°aʹÓÃhtmlspecialcharsº¯ÊýÀ´½«ÌØÊa×Öuת»»³ÉHTML±aÂe
º¯ÊýÔ­ÐÍ
string htmlspecialchars (string string, int quote_style, string charset)
string ÊÇÒª±aÂeµÄ×Öu´®
quote_style ¿ÉÑ¡,Öµ¿ÉΪENT_COMPAT¡¢ENT_QUOTES¡¢ENT_NOQUOTES£¬Ä¬ÈÏÖµENT_COMPAT£¬±iʾֻת»»Ë«ÒýºÅ²»×ª»»µ¥ÒýºÅ¡£ENT_QUOTES£¬±iʾ˫ÒýºÅºÍµ¥ÒýºÅ¶¼Òª×ª»»¡£ENT_NOQUOTES£¬±iʾ˫ÒýºÅºÍµ¥ÒýºÅ¶¼²»×ª»»
charset ¿ÉÑ¡,±iʾʹÓõÄ×Öu¼¯
º¯Êý»a½«ÏÂÁÐÌØÊa×Öuת»»³Éhtml±aÂe:
& ¡ª-> &
" ¡ª-> "
¡® ¡ª-> ¡®
< ¡ª-> <

¡ª-> >
°Ñshow.phpµÄµÚ98ÐиijÉ
<?php echo htmlspecialchars(nl2br($row['question']), ENT_QUOTES); ?>
È»ºoÔÙ²e¿´²aÈejsµÄÂ(C)¶´Ò³Ãae

XSS¿çÕ¾½Å±¾¹¥»÷

XSS(Cross Site Scripting)£¬ÒaΪ¿çÍøÕ¾½Å±¾¹¥»÷£¬ÎªÁ˺ÍÑuʽ±icss(Cascading Style Sheet)Çø±ð£¬ËoдΪXSS
¿çÕ¾½Å±¾Ö÷Òª±»¹¥»÷ÕßÀuÓÃÀ´¶ÁÈ¡ÍøÕ¾Óû§µÄcookies»oÕßÆaËu¸oÈËÊý¾Ý£¬Ò»µ(C)¹¥»÷Õߵõ½ÕaÐ(C)Êý¾Ý£¬ÄÇôËu¾Í¿ÉÒÔαװ³É´ËÓû§À´µÇ¼ÍøÕ¾£¬»ñµÃ´ËÓû§µÄȨÏÞ¡£
¿çÕ¾½Å±¾¹¥»÷µÄÒ»°a²½Öe:
1¡¢¹¥»÷ÕßÒÔijÖֽʽ¢ËÍxssµÄhttpÁ´½Ó¸øÄ¿±eÓû§
2¡¢Ä¿±eÓû§µÇ¼´ËÍøÕ¾£¬ÔڵǽÆÚ¼a´o¿ªÁ˹¥»÷Õß*¢Ë͵ÄxssÁ´½Ó
3¡¢ÍøÕ¾Ö´ÐÐÁË´Ëxss¹¥»÷½Å±¾
4¡¢Ä¿±eÓû§Ò³ÃaeÌøתµ½¹¥»÷ÕßµÄÍøÕ¾£¬¹¥»÷ÕßÈ¡µÃÁËÄ¿±eÓû§µÄÐÅÏ¢
5¡¢¹¥»÷ÕßʹÓÃÄ¿±eÓû§µÄÐÅÏ¢µÇ¼ÍøÕ¾£¬Íe³É¹¥»÷

µ±ÓдaeÔÚ¿çÕ¾Â(C)¶´µÄ³ÌÐo³oÏÖµÄʱºo£¬¹¥»÷Õß¿ÉÒÔ¹¹ÔiÀaËÆ http://www.sectop.com/search.php?key= £¬ÓÕÆ­Óû§µa»÷ºo£¬¿ÉÒÔ»ñÈ¡Óû§cookiesÖµ
À¶½¨:
ÀuÓÃhtmlspecialcharsº¯Êý½«ÌØÊa×Öuת»»³ÉHTML±aÂe
º¯ÊýÔ­ÐÍ
string htmlspecialchars (string string, int quote_style, string charset)
string ÊÇÒª±aÂeµÄ×Öu´®
quote_style ¿ÉÑ¡,Öµ¿ÉΪENT_COMPAT¡¢ENT_QUOTES¡¢ENT_NOQUOTES£¬Ä¬ÈÏÖµENT_COMPAT£¬±iʾֻת»»Ë«ÒýºÅ²»×ª»»µ¥ÒýºÅ¡£ENT_QUOTES£¬±iʾ˫ÒýºÅºÍµ¥ÒýºÅ¶¼Òª×ª»»¡£ENT_NOQUOTES£¬±iʾ˫ÒýºÅºÍµ¥ÒýºÅ¶¼²»×ª»»
charset ¿ÉÑ¡,±iʾʹÓõÄ×Öu¼¯
º¯Êý»a½«ÏÂÁÐÌØÊa×Öuת»»³Éhtml±aÂe:
& ¡ª-> &
" ¡ª-> "
¡® ¡ª-> ¡®
< ¡ª-> <

¡ª-> >

$_SERVER["PHP_SELF"]±aÁ¿µÄ¿çÕ¾
ÔÚij¸o±iµ¥ÖУ¬Èç¹uÌa½»²ÎÊý¸ø×Ô¼º£¬»aÓÃÕaÑuµÄÓi¾a
<form action="<?php echo $_SERVER["PHP_SELF"];?>" method="POST">
¡­¡­

$_SERVER["PHP_SELF"]±aÁ¿µÄֵΪµ±Ç°Ò³ÃaeÃu³Æ Àý: http://www.sectop.com/get.php get.phpÖÐÉÏÊoµÄ±iµ¥ ÄÇôÎÒÃÇÌa½» http://www.sectop.com/get.php/"> ÄÇô±iµ¥±a³É

" method="POST"> ¿çÕ¾½Å±¾±»²a½øÈ¥ÁË *ÀÓu*½*¨»¹ÊÇʹÓÃhtmlspecialchars¹ýÂËÊa³oµÄ±aÁ¿£¬»oÕßÌa½»¸ø×ÔÉiÎļþµÄ±iµ¥Ê¹Óà ÕaÑuÖ±½Ó±ÜÃaÁË$_SERVER["PHP_SELF"]±aÁ¿±»¿çÕ¾

SQL×¢Èe¹¥»÷

SQL×¢Èe¹¥»÷(SQL Injection)£¬Êǹ¥»÷ÕßÔÚ±iµ¥ÖÐÌa½»¾«ÐĹ¹ÔiµÄsqlÓi¾a£¬¸Ä¶¯Ô­À´µÄsqlÓi¾a£¬Èç¹uweb³ÌÐoûÓжÔÌa½»µÄÊý¾Ý¾­¹ý¼i²e£¬ÄÇô¾Í»aÔi³Ésql×¢Èe¹¥»÷¡£

¡¡¡¡SQL×¢Èe¹¥»÷µÄÒ»°a²½Öe:

¡¡¡¡1¡¢¹¥»÷Õß*ÃÎÊÓÐSQL×¢ÈeÂ(C)¶´µÄÕ¾µa£¬Ñ°ÕÒ×¢Èeµa

¡¡¡¡2¡¢¹¥»÷Õß¹¹Ôi×¢ÈeÓi¾a£¬×¢ÈeÓi¾aºÍ³ÌÐoÖеÄSQLÓi¾a½aºÏÉu³ÉеÄsqlÓi¾a

¡¡¡¡3¡¢ÐµÄsqlÓi¾a±»Ìa½»µ½Êý¾Ý¿aÖÐÖ´ÐÐ ´¦Ài

¡¡¡¡4¡¢Êý¾Ý¿aÖ´ÐÐÁËеÄSQLÓi¾a£¬Òý*¢SQL×¢Èe¹¥»÷

¡¡ÊµÀý

¡¡¡¡Êý¾Ý¿a

¡¡¡¡CREATE TABLE postmessage (

¡¡¡¡id int(11) NOT NULL auto_increment,

¡¡¡¡subject varchar(60) NOT NULL default ¡±,

¡¡¡¡name varchar(40) NOT NULL default ¡±,

¡¡¡¡email varchar(25) NOT NULL default ¡±,

¡¡¡¡question mediumtext NOT NULL,

¡¡¡¡postdate datetime NOT NULL default '1999-01-01 01:01:01¡a,

¡¡¡¡PRIMARY KEY (id)

¡¡¡¡) ENGINE=MyISAM DEFAULT CHARSET=gb2312 COMMENT='ÔËÓÃÕßµÄÁoÑÔ' AUTO_INCREMENT=69 ;

¡¡¡¡grant all privileges on ch3.* to ¡®sectop'@localhost identified by '123456¡a;

¡¡¡¡//add.php ²aÈeÁoÑÔ

¡¡¡¡//list.php ÁoÑÔÁбi

¡¡¡¡//show.php ÏÔʾÁoÑÔ

¡¡¡¡Ò³Ãae http://www.netsos.com.cn/show.php?id=71 ¿ÉÄÜ´aeÔÚ×¢Èeµa£¬ÎÒÃÇÀ´²aÊÔ

¡¡¡¡http://www.netsos.com.cn/show.php?id=71 and 1=1

¡¡¡¡*µ»ØÒ³Ãae

¡¡

Ìa½»

¡¡¡¡Ò»´Î²eѯµ½¼Ç¼£¬Ò»´ÎûÓУ¬ÎÒÃÇÀ´¿´¿´Ô´Âe

¡¡¡¡//show.php 12-15ÐÐ

¡¡¡¡// Ö´ÐÐmysql²eѯÓi¾a

¡¡¡¡$query = "select * from postmessage where id = ".$_GET["id"];

¡¡¡¡$result = mysql_query($query)

¡¡¡¡or die("Ö´ÐÐySQL²eѯÓi¾aʧ°Ü£º" . mysql_error());

¡¡¡¡²ÎÊýid´«µÝ½øÀ´ºo£¬ºÍÇ°ÃaeµÄ×Öu´®½aºÏµÄsqlÓi¾aÅÈeÊý¾Ý¿aÖ´ÐÐ ²eѯ

¡¡¡¡Ìa½» and 1=1£¬Ói¾a±a³Éselect from postmessage where id = 71 and 1=1 ÕaÓi¾aÇ°ÖµºoÖµ¶¼ÎªÕae£¬andÒÔºoҲΪÕae£¬µ»Ø²eѯµ½µÄÊý¾Ý

¡¡¡¡Ìa½» and 1=2£¬Ói¾a±a³Éselect * from postmessage where id = 71 and 1=2 ÕaÓi¾aǰֵΪÕae£¬ºoֵΪ¼Ù£¬andÒÔºoΪ¼Ù£¬²eѯ²»µ½ÈκÎÊý¾Ý

¡¡¡¡Õý³£µÄSQL²eѯ£¬¾­¹ýÎÒÃǹ¹ÔiµÄÓi¾aÖ®ºo£¬ÐγÉÁËSQL×¢Èe¹¥»÷¡£Í¨¹ýÕa¸o×¢Èeµa£¬ÎÒÃÇ»¹¿ÉÒÔ½øÒ»²½Äõ½È¨ÏÞ£¬±ÈÈç˵ÔËÓà union¶ÁÈ¡¹ÜÀiÃÜÂe£¬¶ÁÈ¡Êý¾Ý¿aÐÅÏ¢£¬»oÕßÓÃmysqlµÄload_file£¬into outfileµÈº¯Êý½øÒ»²½Éø͸¡£

À¶½¨

¡¡¡¡ÕuÐͲÎÊý:

¡¡¡¡ÔËÓà intvalº¯Êý½«Êý¾Ýת»»³ÉÕuÊý

¡¡¡¡º¯ÊýÔ­ÐÍ

¡¡¡¡int intval(mixed var, int base)

¡¡¡¡ varÊÇҪת»»³ÉÕuÐεıaÁ¿

¡¡¡¡ base£¬¿ÉÑ¡£¬ÊÇ»u´¡Êý£¬Ä¬ÈÏÊÇ10

¡¡¡¡¸¡µaÐͲÎÊý:

¡¡¡¡ÔËÓà floatval»odoublevalº¯Êý*Ö±ðת»»µ¥¾«¶ÈºÍË«¾«¶È¸¡µaÐͲÎÊý

¡¡¡¡º¯ÊýÔ­ÐÍ

¡¡¡¡int floatval(mixed var)

¡¡¡¡ varÊÇҪת»»µÄ±aÁ¿

¡¡ int doubleval(mixed var)

¡¡¡¡ varÊÇҪת»»µÄ±aÁ¿

*¡¡¡¡×ÖuÐͲÎÊý:**

¡¡¡¡ÔËÓà addslashesº¯ÊýÀ´½«µ¥ÒýºÅ¡°'¡±×ª»»³É¡°\'¡±£¬Ë«ÒýºÅ¡°"¡±×ª»»³É¡°\"¡±£¬´Ð±¸Ü¡°\¡±×ª»»³É¡°\\¡±£¬NULL×Öu¼ÓÉÏ*´Ð±¸Ü¡°\¡±

¡¡¡¡º¯ÊýÔ­ÐÍ

¡¡¡¡string addslashes (string str)

¡¡¡¡ strÊÇÒª¼i²eµÄ×Ö*u´®

¡¡¡¡ÄÇô¸Õ²Å³oÏֵĴuÂeÂ(C)¶´£¬ÎÒÃÇ¿ÉÒÔÕaÑuÐÞ²¹

¡¡¡¡// Ö´ÐÐmysql²eѯÓi¾a

¡¡¡¡$query = "select * from postmessage where id = ".intval($_GET["id"]);

¡¡¡¡$result = mysql_query($query)

or die("Ö´ÐÐySQL²eѯÓi¾aʧ°Ü£º" . mysql_error());

¡¡¡¡Èç¹uÊÇ×ÖuÐÍ£¬ÏÈÅжÏmagic_quotes_gpcÄÜÎÞ¨ ΪOn,µ±²»ÎªOnµÄʱºoÔËÓà addslashesתÒaÌØÊa×Ö*u

¡¡¡¡if(get_magic_quotes_gpc())

¡¡¡¡{

¡¡¡¡$var = $_GET["var"];

¡¡¡¡}

¡¡¡¡else

¡¡¡¡{

¡¡¡¡$var = addslashes($_GET["var"]);

¡¡¡¡}

¡¡¡¡ÔٴβaÊÔ£¬Â(C)¶´ÒѾ­ÐÞ²¹

¿aÍøվαÔiÇeÇo

CSRF(Cross Site Request Forgeries)£¬ÒaΪ¿çÍøÕ¾ÇeÇoαÔi£¬Ò²ÓÐдΪXSRF¡£¹¥»÷ÕßαÔiÄ¿±eÓû§µÄHTTPÇeÇo£¬È»ºo´ËÇeÇo¢Ë͵½ÓÐCSRFÂ(C)¶´µÄÍøÕ¾£¬ÍøÕ¾Ö´ÐдËÇeÇoºo£¬Òý¢¿çÕ¾ÇeÇoαÔi¹¥»÷¡£¹¥»÷ÕßÀuÓÃÒþ±ÎµÄHTTPÁ¬½Ó£¬ÈÃÄ¿±eÓû§ÔÚ²»×¢ÒaµÄÇe¿oϵ¥»÷Õa¸oÁ´½Ó£¬ÓÉÓÚÊÇÓû§×Ô¼ºµa»÷µÄ£¬¶øËuÓÖÊǺϨÓû§ÓµÓкϨȨÏÞ£¬ËuÒÔÄ¿±eÓû§Äܹ»ÔÚÍøÕ¾ÄÚÖ´ÐÐÌض¨µÄHTTPÁ´½Ó£¬´Ó¶ø´iµ½¹¥»÷ÕßµÄÄ¿µÄ¡£
ÀýÈç:ij¸o¹ºÎiÍøÕ¾¹ºÂoÉÌÆʱ£¬²ÉÓÃhttp://www.shop.com/buy.php?item=watch#=1£¬item²ÎÊýȶ¨Òª¹ºÂoʲôÎiÆ£¬num²ÎÊýȶ¨Òª¹ºÂoÊýÁ¿£¬Èç¹u¹¥»÷ÕßÒÔÒþ²ØµÄ½Ê½¢Ë͸øÄ¿±eÓû§Á´½Ó

£¬ÄÇôÈç¹uÄ¿±eÓû§²»Ð¡ÐÄ*ÃÎÊÒÔºo£¬¹ºÂoµÄÊýÁ¿¾Í³ÉÁË1000¸o

ʵÀý
ËaeÔµÍøÂçPHPÁoÑÔ°aV1.0

ÈÎÒaɾ³ýÁoÑÔ
//delbook.php ´ËÒ³ÃaeÓÃÓÚɾ³ýÁoÑÔ
<?php
include_once("dlyz.php"); //dlyz.phpÓû§Ñe֤ȨÏÞ£¬µ±È¨ÏÞÊÇadminµÄʱºo½¿Éɾ³ýÁoÑÔ
include_once("../conn.php");
$del=$_GET["del"];
$id=$_GET["id"];
if ($del=="data")
{
$ID_Dele= implode(",",$_POST['adid']);
$sql="delete from book where id in (".$ID_Dele.")";
mysql_query($sql);
}
else
{
$sql="delete from book where id=".$id; //´«µÝҪɾ³ýµÄÁoÑÔID
mysql_query($sql);
}
mysql_close($conn);
echo "";
?>
µ±ÎÒÃǾßÓÐadminȨÏÞ£¬Ìa½»http://localhost/manage/delbook.php?id=2 ʱ£¬¾Í»aɾ³ýidΪ2µÄÁoÑÔ
ÀuÓý¨:
ÎÒÃÇʹÓÃÆÕͨÓû§ÁoÑÔ£¨Ô´´uÂe½Ê½£(C)£¬ÄÚÈÝΪ

²aÈe4ÕÅͼƬÁ´½Ó*Ö±ðɾ³ý4¸oidÁoÑÔ£¬È»ºoÎÒÃÇ*µ»ØÊ×Ò³a¯ÀÀ¿´£¬Ã»ÓÐʲô±a»¯¡£¡£Í¼Æ¬ÏÔʾ²»ÁË ÏÖÔÚÎÒÃÇÔÙÓùÜÀiÔ±Õ˺ŵǽºo£¬À´Ë¢ÐÂÊ×Ò³£¬»a*¢ÏÖÁoÑÔ¾ÍÊ£Ò»Ìo£¬ÆaËuÔÚͼƬÁ´½ÓÖÐÖ¸¶¨µÄIDºÅµÄÁoÑÔ£¬È«²¿¶¼±»É¾³ý¡£ ¹¥»÷ÕßÔÚÁoÑÔÖвaÈeÒþ²ØµÄͼƬÁ´½Ó£¬´ËÁ´½Ó¾ßÓÐɾ³ýÁoÑÔµÄ×÷Ó㬶ø¹¥»÷Õß×Ô¼º*ÃÎÊÕaÐ(C)ͼƬÁ´½ÓµÄʱºo£¬ÊDz»¾ßÓÐȨÏ޵ģ¬ËuÒÔ¿´²»µ½ÈκÎЧ¹u£¬µ«Êǵ±¹ÜÀiÔ±µÇ½ºo£¬²e¿´´ËÁoÑÔ£¬¾Í»aÖ´ÐÐÒþ²ØµÄÁ´½Ó£¬¶øËuµÄȨÏÞÓÖÊÇ×a¹»´oµÄ£¬´Ó¶øÕaÐ(C)ÁoÑԾͱ»É¾³ýÁË Ð޸ĹÜÀiÔ±ÃÜÂe //pass.php if($_GET["act"]) { $username=$_POST["username"]; $sh=$_POST["sh"]; $gg=$_POST["gg"]; $title=$_POST["title"]; $copyright=$_POST["copyright"]."
Ée¼ÆÖÆ×÷£ºÏÃÃÅËaeÔµÍøÂç¿Æ¼¼"; $password=md5($_POST["password"]); if(empty($_POST["password"])) { $sql="update gly set username='".$username."',sh=".$sh.",gg='".$gg."',title='".$title."',copyright='".$copyright."' where id=1"; } else { $sql="update gly set username='".$username."',password='".$password."',sh=".$sh.",gg='".$gg."',title='".$title."',copyright='".$copyright."' where id=1"; } mysql_query($sql); mysql_close($conn); echo ""; } Õa¸oÎļþÓÃÓÚÐ޸ĹÜÀiÃÜÂeºÍÍøÕ¾ÉeÖõÄÒ»Ð(C)ÐÅÏ¢£¬ÎÒÃÇ¿ÉÒÔÖ±½Ó¹¹ÔiÈçϱiµ¥: »¶Ó­Äu°²×°Ê¹ÓÃËaeÔµÍøÂçPHPÁoÑÔ°aV1.0(´øÉoºË¹¦ÄÜ)£¡ ËaeÔµÍøÂçPHPÁoÑÔ±¾V1.0 °aeȨËuÓУºÏÃÃÅËaeÔµÍøÂç¿Æ¼¼ 2005-2009<br/>³Ð½ÓÍøÕ¾½¨Ée¼°ÏµÍ³¶¨ÖÆ Ìa¹(C)ÓÅ»ÝÖ÷»uÓoÃu

´aeΪattack.html£¬*ŵ½×Ô¼ºÍøÕ¾ÉÏhttp://www.sectop.com/attack.html£¬´ËÒ³Ãae*ÃÎʺo»a×Ô¶¯ÏoÄ¿±e³ÌÐoµÄpass.phpÌa½»²ÎÊý£¬Óû§ÃuÐÞ¸ÄΪroot£¬ÃÜÂeÐÞ¸ÄΪroot£¬È»ºoÎÒÃÇÈ¥ÁoÑÔ°a*¢Ò»ÌoÁoÑÔ£¬Òþ²ØÕa¸oÁ´½Ó£¬¹ÜÀi*ÃÎÊÒÔºo£¬ËuµÄÓû§ÃuºÍÃÜÂeÈ«²¿Ð޸ijÉÁËroot

À¶½¨
À¶CSRFÒª±ÈÀ¶ÆaËu¹¥»÷¸u¼ÓÀ§ÄÑ£¬ÒoΪCSRFµÄHTTPÇeÇoËaÈ»Êǹ¥»÷ÕßαÔiµÄ£¬µ«ÊÇÈ´ÊÇÓÉÄ¿±eÓû§¢³oµÄ£¬Ò»°a³£¼uµÄÀ¶½¨ÓÐÏÂÃae¼¸ÖÖ:
1¡¢¼i²eÍøÒ³µÄÀ´Ô´
2¡¢¼i²eÄÚÖõÄÒþ²Ø±aÁ¿
3¡¢Ê¹ÓÃPOST£¬²»ÒªÊ¹ÓÃGET
¼i²eÍøÒ³À´Ô´
ÔÚ//pass.phpͲ¿¼ÓÈeÒÔϺiÉ«×ÖÌa´uÂe£¬ÑeÖ¤Êý¾ÝÌa½»

if($_GET["act"])
{
if(isset($_SERVER["HTTP_REFERER"]))
{
$serverhost = $_SERVER["SERVER_NAME"];
$strurl = str_replace("http://","",$_SERVER["HTTP_REFERER"]);
$strdomain = explode("/",$strurl);
$sourcehost = $strdomain[0];
if(strncmp($sourcehost, $serverhost, strlen($serverhost)))
{
unset($_POST);
echo "";
}
}
$username=$_POST["username"];
$sh=$_POST["sh"];
$gg=$_POST["gg"];
$title=$_POST["title"];
$copyright=$_POST["copyright"]."
Ée¼ÆÖÆ×÷£ºÏÃÃÅËaeÔµÍøÂç¿Æ¼¼";
$password=md5($_POST["password"]);
if(empty($_POST["password"]))
{
$sql="update gly set username='".$username."',sh=".$sh.",gg='".$gg."',title='".$title."',copyright='".$copyright."' where id=1";
}
else
{
$sql="update gly set username='".$username."',password='".$password."',sh=".$sh.",gg='".$gg."',title='".$title."',copyright='".$copyright."' where id=1";
}
mysql_query($sql);
mysql_close($conn);
echo "";
}
¼i²eÄÚÖÃÒþ²Ø±aÁ¿
ÎÒÃÇÔÚ±iµ¥ÖÐÄÚÖÃÒ»¸oÒþ²Ø±aÁ¿ºÍÒ»¸osession±aÁ¿£¬È»ºo¼i²eÕa¸oÒþ²Ø±aÁ¿ºÍsession±aÁ¿ÊÇñÏaµÈ£¬ÒÔ´ËÀ´ÅжÏÊÇñͬһ¸oÍøÒ³Ëuµ÷ÓÃ
<?php
include_once("dlyz.php");
include_once("../conn.php");
if($_GET["act"])
{
if (!isset($_SESSION["post_id"]))
{
// Éu³ÉΨһµÄID£¬²¢Ê¹ÓÃMD5À´¼ÓÃÜ
$post_id = md5(uniqid(rand(), true));
// ´´½¨Session±aÁ¿
$_SESSION["post_id"] = $post_id;
}
// ¼i²eÊÇ*ñÏaµÈ
if (isset($_SESSION["post_id"]))
{
// ²»ÏaµÈ
if ($_SESSION["post_id"] != $_POST["post_id"])
{
// Ça³ýPOST±aÁ¿
unset($_POST);
echo "";
}
}

¡­¡­

<input type="reset" name="Submit2" value="ÖØ  ÖÃ">  

<input type="hidden" name="post_id" value="<?php echo $_SESSION["post_id"];?>">

ʹÓÃPOST£¬²»ÒªÊ¹ÓÃGET ´«µÝ±iµ¥×Ö¶Îʱ£¬Ò»¶¨ÒªÊÇÓÃPOST£¬²»ÒªÊ¹ÓÃGET£¬´¦Ài±aÁ¿Ò²²»ÒªÖ±½ÓʹÓÃ$_REQUEST

*httpÏiÓ¦²ðÖ**

HTTPÇeÇoµÄ¸ñʽ

1£(C)ÇeÇoÐÅÏ¢£ºÀýÈç¡°Get /index.php HTTP/1.1¡±£¬ÇeÇoindex.phpÎļþ

2£(C)±iÍ£ºÀýÈç¡°Host: localhost¡±£¬±iʾþÎñÆ÷µØÖ*

3£(C)¿Õ°×ÐÐ

4£(C)ÐÅÏ¢ÕýÎÄ

¡°ÇeÇoÐÅÏ¢¡±ºÍ¡°±iÍ¡±¶¼±ØÐeʹÓû»ÐÐ×Öu£¨CRLF£(C)À´½a⣬¿Õ°×ÐÐÖ»ÄÜ°uº¬»»ÐÐu£¬²»¿ÉÒÔÓÐÆaËu¿Õ¸ñu¡£

ÏÂÃaeÀý×Ó¢ËÍHTTPÇeÇo¸øþÎñÆ÷www.yhsafe.com

GET /index.php HTTP/1.1¨L //ÇeÇoÐÅÏ¢

Host:www.yhsafe.com¨L //±iÍ*

¨L //¿Õ¸ñÐÐ

¨L

¨L*uºÅ±iʾ»Ø³µ¼u£¬ÔÚ¿Õ°×ÐÐÖ®ºo»¹ÒªÔÚ°´Ò»¸o¿Õ¸ñ²Å»a*¢ËÍHTTPÇeÇo£¬HTTPÇeÇoµÄ±iÍ*ÖÐÖ»ÓÐHost±iÍ*ÊDZØÒªµÄ¶o£¬ÆaÓaµÄHTTP±iÍ*ÔoÊǸu¾ÝHTTPÇeÇoµÄÄÚÈݶø¶¨¡£

HTTPÇeÇoµÄ½¨

1£(C)GET£ºÇeÇoÏiÓ¦

2£(C)HEAD£ºÓeGETÏaͬµÄÏiÓ¦£¬Ö»ÒªÇoÏiÓ¦±iÍ*

3£(C)POST£º¢ËÍÊý¾Ý¸øþÎñÆ÷´¦Ài£¬Êý¾Ý°uº¬ÔÚHTTPÐÅÏ¢ÕýÎÄÖÐ

4£(C)PUT£ºÉÏ´«Îļþ

5£(C)DELETE£ºÉ¾³ýÎļþ

6£(C)TRACE£º×*×ÙÊÕµ½µÄÇeÇo

7£(C)OPTIONS£ºµ»ØþÎñÆ÷ËuÖ§³ÖµÄHTTPÇeÇoµÄ½¨

8£(C)CONNECT£º½«HTTPÇeÇoµÄÁ¬½Óת»»³É͸Ã÷µÄTCP/IPͨµÀ

HTTPÏiÓ¦µÄ¸ñʽ

þÎñÆ÷ÔÚ´¦ÀiÍe¿Í»§¶ËËuÌa³oµÄHTTPÇeÇoºo£¬»a¢ËÍÏÂÁÐÏiÓ¦¡£

1£(C)µÚÒ»ÐÐÊÇ״̬Âe

2£(C)µÚ¶þÐпªÊ¼ÊÇÆaËuÐÅÏ¢

״̬Âe°uº¬Ò»¸o±eʶ״̬µÄÊý×ÖºÍÒ»¸oÃeÊo״̬µÄµ¥´Ê¡£ÀýÈ磺

HTTP/1.1 200 OK

200ÊDZeʶ״̬µÄÊÇÊý×Ö£¬OKÔoÊÇÃeÊo״̬µÄµ¥´Ê£¬Õa¸o״̬Âe±eʶÇeÇo³É¹¦¡£

HTTPÇeÇoºÍÏiÓ¦µÄÀý×Ó

´o¿ªcmdÊaÈetelnet£¬ÊaÈeopen www.00aq.com 80

´o¿ªÁ¬½ÓºoÊaÈe

GET /index.php HTTP/1.1¨L

Host:www.00aq.com¨L

¨L

¨L

µ»ØHTTPÏiÓ¦µÄ±iÍ

*µ»ØµÄÊ×Ò³ÄÚÈÝ

*ʹÓÃPHPÀ´¢ËÍHTTPÇeÇo**

headerº¯Êý¿ÉÒÔÓÃÀ´¢ËÍHTTPÇeÇoºÍÏiÓ¦µÄ±iÍ

º¯ÊýÔ­ÐÍ

void header(string string [, bool replace [, int http_response_code]])