Previously, I introduced Brute Force, which is the most common type of web attacks. Today I will introduce command injection attacks.
The so-called web command attack means that the data entered by all users in the system is used without strict filtering, thus leaving hackers with a chance.
I am not very familiar with web command attacks. Let me introduce two links to web command attacks.
Https://www.owasp.org/index.php/Testing_for_Command_Injection_ (OWASP-DV-013)
Chinese http://www.bkjia.com/Article/201208/146517.html
1. Let's take a look at the very dangerous code.
Web command attack-Insecure code
This code is used directly without any filtering of data, which is very dangerous. For example, if the ip address entered by the user is not normal (hh. kk. lll. ii), the code is terrible.
II. The following Code provides preliminary data filtering. Let's take a look.
Web command attack-medium-security code
We can see that this Code uses the str_replace function to filter ip addresses. That is, invalid characters are replaced with null characters. But it cannot be handled. ee. ee
Str_replace function Introduction
3. Let's look at the security code below.
Web command attack-Secure Code
This code verifies whether the obtained ip address is composed of numbers and is fully executed by illegal ip addresses. It is the safest code.
Use of stripslaches Functions
Use of explode Functions
Use the stristr Function
Shell_exec function usage