网站安全、sql注入和文件权限
我正在构建一个非常小的网站(使用 PHP),但有 2 个大问题 第一个是关于我的搜索表单 我构建了一个非常简单的搜索表单来检索我的内容,然后我使用了一个在线安全工具并显示我的搜索表单容易受到 SQLi 的攻击 我对此一无所知,所以我开始测试在某些网站上发现的一些攻击 到目前为止,只有 'OR 'x'='x
有效(它返回我网站的全部内容,这很糟糕吗?攻击者怎么能伤害我? 第二个问题是关于我的照片,我使用名为 mywebsite.com/uploads/ 的文件夹来访问我的照片 尽管 /upload 受到保护,但子文件夹 uploads/temp 和 uploads/thumbs 通过浏览器可见 这也能伤人吗? 有什么建议吗?
I am building a very small website (with PHP) and I have 2 big issues
The first one is about my search form
I have build a really simple search form in order to retrieve my content, then I used an online security tool and show me that my search form was vulnerable to SQLi
I had no idea abut that so I started testing some attacks I found on some sites
As far as now only 'OR 'x'='x
worked (it returns the entire content of my website, is this bad? How can an attacker hurt me?
The second issue is about my photos, I am using a folder called mywebsite.com/uploads/ to access my photos
Although /upload is protected the subfolders uploads/temp and uploads/thumbs are visible through the browser
May this be hurtful too?
Any advice?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
SQL 注入确实很糟糕,但我喜欢它:)
SQL 注入有很多种类型,例如
远程 sql 注入
sql盲注
自动绕过sql注入
这是从网站黑客获取数据的简单方法,像程序员一样使用它
看这个例子
我的代码中没有安全性
site.php?id=1
我的查询将像
黑客一样执行,他会杀死你的代码
site.php?id=1(这里的任何东西都可能会产生问题,例如:` ' az AZ / * / " )
因为查询会像这样
,所以单引号会在你的查询中出错
,黑客可以像这样攻击,
你的查询将像这样执行
,这将起作用:)
盲sql注入
黑客无法工作用简单的方法远程sql注入,
因为它在这里取决于正确和错误
,所以他将使用
and
or
这样
如果工作正常,脚本将工作良好,否则会发生错误
他可以像这样知道数据库信息
示例管理表是
admin
自动绕过
它的 blicd sql 注入,但只有真实条件才能访问管理
黑客可以像这个
user = everything' 或 1=1 一样登录 -
所以你的查询将类似于
数据库中的任何错误用户
,但条件或1=1 为 true
-- 将忽略您的密码检查
他可以轻松访问
保护
文件夹权限您可以使用
空的 index.html , index.php ,
SQL injection is really bad but i like it :)
there is many types of sql injection like
remote sql injecton
blind sql injection
auto bypass sql injection
its the easy way to get data from site hacker use it like coders
see this example
There is no security in my code
site.php?id=1
my query will execute like
if hacker he will kill your code
site.php?id=1(any thing here can make problem ex: ` ' a-z A-Z / * / " )
Because query will be like this
so single quotaion will make error in your query
and hacker can attack like this
here your query will execute like
and this will work :)
blind sql injection
hacker cannot work with easy way remote sql injection
because it here depend on right and false
so he will use
and
or
like this
if work fine the script will work good else error will happen
he can know database info like this
example admin table is
admin
auto bypass
its blicd sql injection but only true condition can access to admin
hacker can login like this
user = anything' or 1=1 --
so your query will be like
anything is error user in databse
but condition or 1=1 is true
-- will ignore your password check
he can access easily
protect
folder premission you can use
empty index.html , index.php ,
如果您允许 SQL 注入,攻击者就可以对您的网站做各种坏事。他们可以将代码注入 DROP DATABASE,从而删除整个数据库!
如果您以 root 用户身份登录 mysql,他们可能会在您的服务器上写入(并创建)文件。
注射;
这是闯入服务器的常见第一步,允许攻击者在 www-data 用户下执行任意命令。从这里开始,将您的服务器引入僵尸网络,使用它发送垃圾邮件(将您列入发送电子邮件的黑名单),或者干脆删除所有文件来毁掉您的一天,都是微不足道的。
您必须做的是清理所有用户输入。因此,在您的搜索处理器中,您必须在将搜索查询传递到数据库之前对搜索查询中的所有特殊字符进行转义,您可以使用 mysql_real_escape_string(); 来执行此操作;
所以;
然后在 mysql 查询中使用 $search_query 是安全的。
If you allow SQL injection, an attacker can do all sorts of bad things to your website. They can inject code to DROP DATABASE, deleting your entire database!
If you are logging into your mysql as the root user, they can potentially write to files (and create) files on your server.
The injection;
Would be a common first step to breaking into your server, allowing the attacker to execute arbitrary commands under the www-data user. From here it is trivial to recruit your server into a botnet, use it to send spam (getting you blacklisted from sending emails), or simply delete all your files just to ruin your day.
What you must do, is to sanitise all user input. So, in your search processor, you must escape any special characters from the search query before passing it onto the database, you can do this using mysql_real_escape_string();
so;
It is then safe to use $search_query in your mysql query.
SQL 注入——这很糟糕。
有人可以在您的数据库中运行他想要的任何查询、查找密码、删除您的整个数据等。
您可以通过使用有关目录的 mysql_real_escape_string 包装查询中的所有用户输入来避免这种情况
- 这实际上取决于您提供的访问权限。如果文件列表可用,并不意味着有人可以更改/执行它们
SQL injections - it's bad.
someone can run any query he wants in your database, find passwords, delete your entire data etc.
you can avoid it by wrapping all user input in your queries with mysql_real_escape_string
about the directories - it really depends on the accesses you provide. if file listing is available, it doesn't really mean that someone can make changes/execute them
广告 SQL 注入:
)文件夹:您的意思是任何用户都可以看到文件夹的内容?如果是这样,用户可能会看到他们不应该看到的图片。如果您有充分的理由保护(没有文件列表?)主目录,为什么不将其应用于 temps/ 和thumbs/ 子目录?
Ad SQL Injection:
Ad the folders: you mean that any user can see the content of the folders? If so, users may see pictures they shouldn't see. If you had a good reason for protecting (no file listing?) the main directory, why not apply it to the temps/ and thumbs/ subdirectories?