Common intrusion methods and defenses for websites

Source: Internet
Author: User
Tags sql injection attack

Web site intrusion technology is probably the following:

1. Upload intrusion
Upload the intrusion is to get permission by uploading files, for the permission to upload files to implement the site, such as the forum can upload attachments, information station can submit upload pictures, these may be uploaded Trojan to facilitate, after uploading Trojan, a lot of information will be easily exposed. This vulnerability in the site source code is more common, by hackers use the most rampant, the use of upload vulnerability can be directly obtained Webshell, the damage level super high.
Defense method: Third-party open source code to upgrade the official program patches in a timely manner; Note that restrictions on uploaded files, such as restricting file types, file sizes, etc., as well as permission restrictions on the folders that are stored after uploading the file, such as the folder where the picture is stored does not need to retain the script execution permission. Remove the script execution permissions and file decompression permissions, and so on.

2. Bauku, which is directly downloaded to the database
Bauku is primarily for websites that use Microsoft Access databases. Many beginners directly from the online next free program source upload to use, hackers can easily download the database, because the database address is completely the default path.
Bauku is the commit character to get the database file, the database file we have directly have the site of the foreground or the background permission.
Bauku method: For example, a station address for http://www.xxx.com/dispbbs.asp?boardID=7&ID=161, we can put Com/dispbbs in the middle of/switch to%5c if there is a vulnerability directly to the absolute path of the database With thunder or something download down on it, there is a way is to use the default database path http://www.xxx.com/after adding conn.asp, if not modify the default database path can also get the path of the database (note: here/also to%5c) why replace %5C: Because in ASCII/equals%5c, sometimes the database name/#abc is encountered. Why can't the MDB? You need to change the # number to%23 to download it. If the out-of-database file is in. ASP end, here can be downloaded when the. The ASP is replaced with an. MDB so that it can be downloaded. If the download is not possible, the site may have been anti-download.
Defense method: Modify the default database path; do the. mdb's anti-download processing; Do not display error messages directly on the page.

3. SQL Injection Vulnerability
This loophole is now the most widely used, the damage is also a big loophole, it can be said that Microsoft's official website is also an injection of loopholes. Injection vulnerability is because character filtering is not strictly caused by, you can get the administrator's account password and so on. For example, this URL http://www.xxx.com/dispbbs.asp?boardID=7&ID=161 followed by a id= digital end of the site, we can manually add a and 1=1 to see, if the normal page is displayed, Add a and 1=2 look, if the return to normal page description No vulnerability if the return error page indicates an injection vulnerability exists. If Add and 1=1 return error page description also no loopholes, know the site there is no loophole I can use the door.
Defense method: Do not use dynamically assembled SQL statements, we recommend the use of parameterized SQL statements, string length verification of received parameters, and single and Double "-", underscore, percent sign and other SQL comment symbols escaped

4. XSS/CSRF Cross-site attack
Xss (Cross site Scripting)/CSRF (Cross-site requests forgery cross-site request forgery), which is similar to the well-known SQL injection attack, takes advantage of the imperfect writing of web pages. SQL injection attacks the use of SQL statements as user input, so as to achieve the purpose of querying/modifying/deleting data, and in the XSS attack, by inserting a malicious script to achieve control of the user's browser, it allows malicious web users to put code into the page for other users to use, The code includes HTML code and client script, and then directs other users to click on a link or browse the page, the Document.cookie and other information to the designated server, and then the attacker can impersonate the user to log on to the site normally, steal user information or sensitive information.
Defense method: Encrypt the cookie information, use the HttpOnly property of the cookie as far as possible, verify the length of the received user input, and HTML transcode the received user input.

5. Cookie Spoofing
A cookie is a record of your information, such as IP, name, and so on, that is used by the website when you surf the Internet, and almost all websites use cookies.
So how to cheat through cookies? If we now know the station number of XX station Administrator and MD5 password but can not break out the password (MD5 is encrypted after a 16-bit password), we could use cookie fraud to achieve, to change their ID into the administrator, MD5 password also changed to his, there are tools can modify cookies, so that the purpose of the cookie fraud, the system thought you are the administrator.
Defense method: Encrypt the cookie.

6. Program Vulnerability
Website Program vulnerability refers to the program code itself vulnerability, such as you use DEDECMS did not modify the background address and admin account, or not upgrade dedecms patch, or use a cracked program, these programs own vulnerability is fatal, the user knows the loophole to search engine to find a bit, Easily find hundreds of vulnerability sites.
Defense method: As far as possible to crack the program source code, the use of well-known CMS should pay attention to the official introduction of the security configuration, recommended to erase the website kernel program information; In addition, do the information station proposed to close the Member Center, do Forum recommendations strictly restricted attachment format, at the same time to pay attention to upgrade patches, do not build a station

7. Blasting intrusion
Blasting is a brute force, now there are many programs on the Internet scanning to crack FTP, server login address, etc., if you use a weak password, like the server root account 6 password, then it is easy to be brute force, this intrusion method is very silly, but very effective, people always do not like too complex password.
Defense method: Set the length of not less than 18 digits of the password, the proposed English letter case and number, symbol combination, to ensure that your account password and other places of the account password is different, to avoid others through the dictionary matching success. As for the back office address and port number what, do not take the usual road, complex means safe.

8. Side-note intrusion
Invasion of a station may be strong and invulnerable to this station, website program is safe, security configuration is very professional. At this point, we can find and this station the same server site, and then use this site with the right, sniffing and other methods to invade the site we want to invade. An image metaphor, like you and me in a building my home is safe, and your home is flawed now there's a thief trying to invade my house. He's been spying on my family, and he's got nothing to take advantage of. So the thief found out that your house and my house were in a building, and it was easy for him to get into your house first. Then you get the key to the whole building through your home (System access) so I can get my keys and go to my home (website)
Defense method: This situation often occurs in the virtual host, one of the site poisoning, if the server security configuration is not good, it is possible to get server permissions, so that all the site. If the economic conditions allow, the proposed choice of VPS or cloud host, security can improve more than one grade.

Reference articles
Http://jingyan.baidu.com/article/e52e3615bbde8640c60c5120.html
Http://jingyan.baidu.com/article/93f9803fc9e0d7e0e46f5531.html
Http://www.2cto.com/article/201505/400743.html
Http://www.2cto.com/article/201505/400742.html
Http://www.letswin.cn/newsDetails-15822.aspx
http://blog.csdn.net/eldn__/article/details/8204060
Http://www.cnblogs.com/MR-YY/p/5259178.html

Copyright NOTICE: This document is licensed under the attribution-Non-commercial use-sharing (CC BY-NC-SA 3.0 CN) International License Agreement, please specify the author and source.
This article title: Common intrusion Means and defense method of website
This article link: http://www.cnblogs.com/sochishun/p/7007959.html
This article Sochishun (e-mail: 14507247#qq.com | blog: http://www.cnblogs.com/sochishun/)
Published: June 14, 2017

Common intrusion methods and defenses for websites

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.