Infiltration is the intrusion of an intruder directly using the original function of the object being invaded, which can be carried out using various methods. Whether it is a personal user, a database administrator or a webmaster, it is necessary to construct a secure Web site forum, database server, and secure SQL statement scripts to understand the potential hazards of penetration technology.
Many users have this feeling: computer information security technology or hackers care about some things are more advanced, but in fact, such as infiltration technology, may be just the technical terminology of the professional has made you a little dizzy, but you know, in the day-to-day computer applications, you will often pass the penetration technology.
Let's take a small example to make a simple note: If I tell you "' or 1=1 '" This is a user name or password that a user registers in a certain forum, what would you think of? If you have a little bit of common sense of SQL language, you will understand what this username means, and you will understand "select U_name from Userlst where u_name=xxx" and "select U_name from Userlst where u The great difference between _name=xxx or 1=1. For a Web site with a low safety margin, hackers can easily use similar simple SQL statements to illegally access or attack sites, and these are just the tip of the iceberg of penetration technology.
Test
Stop What are you doing? The guard called the young man who had wandered for a long time in front of the headquarters. Tourists "The young man looked at the guard, with his eyes strangely calm, and he seemed to look at the headquarters not far away consciously or unconsciously, and Sunset's headquarters seemed so mysterious. Then the young man went away under the watchful eye of the guard.
Infiltration, or penetrate, does not belong to an intrusion method, nor does it belong to some kind of tool. Infiltration is the intrusion of an intruder directly using the original function of the object being invaded, which can be carried out using various methods. These original functions seem to be so loyal, but when they are mastered by intruders, they become the powerful tools of intruders.
Before all work begins, intruders need to be tempted. Includes the purpose of the function, vulnerability, which plays an important role in future work, this process is called "scan." In general, intruders use scanners to report most existing vulnerabilities and services provided by the other. When a certain amount of data is collected, the intruder can decide whether to invade or give up.
Sneak attack
As mentioned earlier, there are many forms of infiltration, the current popular penetration technology has special permission directory, forum infiltration, SQL injection and so on.
Break through Special Permissions directory
It was late at night and the guards were drowsy. Suddenly, a dark figure quickly climbed over the wall into the headquarters, the young man who had spent some time in front of the headquarters in the daytime, wearing special gloves, and the glass on the wall had been pulled down, scattered on the ground, flashing in the moonlight. The young man was too busy to take care of these, one turned and hid in the shadows. He is an agent, and his mission is to steal the enemy's latest strategic map. To this end, he managed to observe the headquarters for several days, and today finally found a guard loose entrance.
Typically, the server sets up directories with special features that are used to augment the functionality provided by the server, and they can execute script programs, such as forums.
Because of this, the programs in these directories often make unusual things. The program on the server realizes the function expansion and man-machine interaction by processing the data request of different content, but even the writer of the program can't take into account what kind of data the other party may send, and the program will only rigidly accept the instructions, so the danger can happen at any time. If the intruder sends a specially formatted data to the server, the direct result is that the program is overflow, or the intruder's illegal request, such as requesting access to an unauthorized directory, viewing an unauthorized file, and so on, because the program that processes the data on the server does not handle the data. Because the program does not think at all, obediently realized the desire of the intruder.
Remember that most classic directory penetration--"IIS's two-time coding vulnerability" precisely because the author did not take into account the role of some special characters, causing intruders to use the browser or other developed tools to easily enter the server (Figure 1).
Javascript:if (this.width border= "0?>
