Webmaster Friend is your website safe?

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Today, I was bored and went into a website to think that the site can also, I found that the site is in ASP language, I casually added a ' Up, incredibly data errors, and then I guess the solution, to the end of the site's account password guess solved. I didn't change him, just leave him a message and tell him. Now many stations have too many injection points. I hope you can do a good job of network management. Don't make too many loopholes, this not only harm and harm already.

What kind of site is vulnerable to hacker intrusion?

Some people say, I am a low-key point, do not offend people, naturally no one black me. In fact, even if you do not have a competitor to hire people black you, there will be curious or practice technology boring hackers want to invade your station to explore the truth.

So, what kind of station is easy to be hacked. is not the bad person's station, but is the loophole website.

Whether your station is a dynamic site, such as ASP, PHP, JSP this form of site, or static site, there are the possibility of intrusion.

Is there a loophole in your website? How do you know if your site is vulnerable?

Ordinary hackers mainly through the upload of loopholes, Bauku, injection, side note and other ways to invade nearly 70% of the site. Of course, there are higher levels of intrusion, and some hackers have been following a site for several months to find an intrusion point. Let's focus on these easily hacked sites.

1, upload the vulnerability

This loophole in the DVBBS6.0 era was the most rampant use of hackers, the use of upload vulnerabilities can be directly webshell, the threat level is super high, now the intrusion of the upload vulnerability is also a common loophole.

Vulnerability Explanation:

In the site's address bar after the URL plus/upfile.asp if the display upload format is incorrect [re-upload] Such words 80% is to upload a loophole to find a tool can be uploaded directly can be Webshell.

Tools Introduction:

Upload tools, veterans of the Upload tool, DOMAIN3.5, these two software can achieve the purpose of uploading, with NC can also be submitted.

Expert resolving:

What is Webshell? Many people do not understand, here is simple, in fact, Webshell is not something profound, is a Web permissions, you can manage the Web, modify the contents of the homepage, such as permissions, but there is no particularly high privileges, (this look at the administrator's settings) General modification of other people's home page Most need this permission, contact with the Web Trojan friends may know (such as the veteran Webmaster Assistant is the Web Mumahaiyang 2006 is also a Web Trojan) we upload the flaw finally pass is this thing, Sometimes a server with bad permissions can get the highest privileges through Webshell.

Remind：

Most of the Web site's procedures are in the public program based on the modified, the program will always have loopholes. Intelligent webmaster should learn to master the above tools and often pay attention to the latest vulnerabilities of their Web applications. and use the above tools for self testing to ensure that the site is safe.

2, Bauku:

Many sites have this vulnerability to exploit. Very dangerous!

Vulnerability Explanation:

Bauku is the submission of characters to get the database file, get the database files hackers directly have the site's front desk or backstage permissions. For example, the address of a station is http: www. xxx.com/dispbbs.asp?boardid=7&id=161, hackers can be the middle of the Com/dispbbs/replaced by%5c, if there is a loophole directly to the absolute path of the database, with the Thunder or something to download down on it. There is also a way to use the default database path http://www.xxx.com/followed by the conn.asp. You can also get the path to the database without modifying the default database path (Note: here/also change to%5c).

Resolving：

Why switch to%5c: Because in ASCII code/equals%5c, sometimes the database name is/#abc. Why can't the MDB? Here need to replace the # number%23 can be downloaded, why I burst out of the database file is. ASP at the end of what should I do? here can be downloaded. ASP replaced. MDB so you can download it if you can't download it.

Remind：

The database is always the most interesting thing for hackers. Database security is not fully considered by every programmer in programming. Should be on the line, find a professional security company to test database penetration testing to ensure that the database security.

3. Injection loophole:

This loophole is now the most widely used, lethal also a lot of loopholes, can be said that Microsoft's official website also has injected loopholes.

Vulnerability Explanation:

Injection vulnerability is due to character filtering is not strictly caused by, you can get the administrator's account password and other related information.

Resolving：

Let me introduce how to find a loophole, such as this URL http://www.xxx.com/dispbbs.asp?boardid=7&id=161 After the end of the Id= digital form of the station we can manually add an and 1=1 at the back if the normal page is displayed plus an and 1 = two to see if the return to the normal page description There is no vulnerability if the error page is returned to indicate an injection vulnerability. If Add and 1=1 return error page description There is no loophole, know the site has no loopholes I can use the door

Tools Introduction:

Can be a hand to guess the solution can also use tools now more tools (Nbsi NDSI AH domain, etc.) can be used to guess the account password, suggest that we use tools, hand more cumbersome.

Remind：

The website of the large company should find the high-level programmer who understands safe programming to carry on, and develop on-line, should ask a professional company to carry on safety test. To ensure that the program is safe and reliable!

4, Side note:

When we invade a certain station may this station sturdy and unassailable, we can look for and this station same server's site, then uses this site to use the authority, the sniffing and so on the method to invade our to invade the site. A figurative analogy, for example, you and I are neighbors, my home is safe, and your home, but it is easy to go in and steal things. Now a thief wants to invade my home, he to my home did the exploration, casing, found it difficult to enter my home, then the thief found your home and my family is a neighbour, through your home can easily enter as my home. He can enter your home first, and then through your balcony into my home.

Tools Introduction:

Or a kid's DOMIAN3.5 good things, can detect injection, can be a side note, but also upload!

Finally casually ad my small station www.i3ss.cn is a professional Uusee resource station