Äú¿ÉÒÔ¾èÖú£¬Ö§³ÖÎÒÃǵĹ«ÒæÊÂÒµ¡£

1Ôª 10Ôª 50Ôª





ÈÏÖ¤Â룺  ÑéÖ¤Âë,¿´²»Çå³þ?Çëµã»÷Ë¢ÐÂÑéÖ¤Âë ±ØÌî



  ÇóÖª ÎÄÕ ÎÄ¿â Lib ÊÓÆµ iPerson ¿Î³Ì ÈÏÖ¤ ×Éѯ ¹¤¾ß ½²×ù Modeler   Code  
»áÔ±   
 
   
 
 
     
   
 ¶©ÔÄ
  ¾èÖú
Web¿ª·¢³£¼ûµÄ¼¸¸ö©¶´½â¾ö·½·¨
 
×÷Õß Bernhard Klemm £¬»ðÁú¹ûÈí¼þ    ·¢²¼ÓÚ 2014-10-27
  2176  次浏览      27
 

ƽʱ¹¤×÷£¬¶àÊýÊÇ¿ª·¢WebÏîÄ¿£¬ÓÉÓÚÒ»°ãÊÇ¿ª·¢ÄÚ²¿Ê¹ÓõÄÒµÎñϵͳ£¬ËùÒÔ¶ÔÓÚ°²È«ÐÔÒ»°ã²»ÊÇ¿´µÄºÜÖØ£¬»ù±¾ÉÏÓÉÓÚÊÇÄÚÍøÏµÍ³£¬Ò»°ãÒ²ºÜÉÙ»áÊܵ½¹¥»÷£¬µ«ÓÐʱºòһЩϵͳƽ̨£¬ÐèÒªÍâÍøÒ²ÒªÊ¹Óã¬ÕâÖÖÇé¿öÏ£¬¸÷·½ÃæµÄ°²È«ÐÔ¾ÍÒªÇó±È½Ï¸ßÁË£¬ËùÒÔÍùÍù»á½»¸¶¸øÒ»Ð©×¨ÃÅ×ö°²È«²âÊԵĵÚÈý·½»ú¹¹½øÐвâÊÔ£¬È»ºó¸ù¾Ý·´À¡µÄ©¶´½øÐÐÐÞ¸´£¬Èç¹ûÄãÆ½³£¶ÔÓÚһЩ°²È«Â©¶´²»¹»Á˽⣬ÄÇô·´À¡µÄ½á¹ûÍùÍùÊǺܲпáµÄ£¬ÆÈʹÄã±ØÐëÔںܶàϸ½ÚÉϽøÐÐÐÞ¸´ÍêÉÆ¡£±¾ÎÄÖ÷Òª¸ù¾Ý±¾ÈËÏîÄ¿µÄһЩµÚÈý·½°²È«²âÊÔ½á¹û£¬ÒÔ¼°±¾ÈËÕë¶ÔÕâЩ©¶´ÎÊÌâµÄÐÞ¸´·½°¸£¬½éÉÜÔÚÕâ·½ÃæµÄһЩ¾­Ñ飬ϣÍû¶Ô´ó¼ÒÓаïÖú¡£

»ù±¾ÉÏ£¬²Î¼ÓµÄ°²È«²âÊÔ£¨ÉøÍ¸²âÊÔ£©µÄÍøÕ¾£¬¿ÉÄÜ»ò¶à»òÉÙ´æÔÚÏÂÃæ¼¸¸ö©¶´£ºSQL×¢Èë©¶´¡¢¿çÕ¾½Å±¾¹¥»÷©¶´¡¢µÇ½ºǫ́¹ÜÀíÒ³Ãæ¡¢IIS¶ÌÎļþ/Îļþ¼Ð©¶´¡¢ÏµÍ³Ãô¸ÐÐÅϢй¶¡£

1¡¢²âÊԵIJ½Öè¼°ÄÚÈÝ

ÕâЩ°²È«ÐÔ²âÊÔ£¬¾ÝÁ˽âÒ»°ãÊÇÏÈÊÕ¼¯Êý¾Ý£¬È»ºó½øÐÐÏà¹ØµÄÉøÍ¸²âÊÔ¹¤×÷£¬»ñÈ¡µ½ÍøÕ¾»òÕßϵͳµÄһЩÃô¸ÐÊý¾Ý£¬´Ó¶ø¿ÉÄÜ´ïµ½¿ØÖÆ»òÕßÆÆ»µÏµÍ³µÄÄ¿µÄ¡£

µÚÒ»²½ÊÇÐÅÏ¢ÊÕ¼¯£¬ÊÕ¼¯ÈçIPµØÖ·¡¢DNS¼Ç¼¡¢Èí¼þ°æ±¾ÐÅÏ¢¡¢IP¶ÎµÈÐÅÏ¢¡£¿ÉÒÔ²ÉÓ÷½·¨ÓУº

1£©»ù±¾ÍøÂçÐÅÏ¢»ñÈ¡£»

2£©PingÄ¿±êÍøÂçµÃµ½IPµØÖ·ºÍTTLµÈÐÅÏ¢£»

3£©TcptracerouteºÍTraceroute µÄ½á¹û£»

4£©Whois½á¹û£»

5£©Netcraft»ñȡĿ±ê¿ÉÄÜ´æÔÚµÄÓòÃû¡¢Web¼°·þÎñÆ÷ÐÅÏ¢£»

6£©Curl»ñȡĿ±êWeb»ù±¾ÐÅÏ¢£»

7£©Nmap¶ÔÍøÕ¾½øÐж˿ÚɨÃè²¢ÅжϲÙ×÷ϵͳÀàÐÍ£»

8£©Google¡¢Yahoo¡¢BaiduµÈËÑË÷ÒýÇæ»ñȡĿ±êÐÅÏ¢£»

9£©FWtester ¡¢Hping3 µÈ¹¤¾ß½øÐзÀ»ðǽ¹æÔò̽²â£»

10£©ÆäËû¡£

µÚ¶þ²½ÊǽøÐÐÉøÍ¸²âÊÔ£¬¸ù¾ÝÇ°Ãæ»ñÈ¡µ½µÄÊý¾Ý£¬½øÒ»²½»ñÈ¡ÍøÕ¾Ãô¸ÐÊý¾Ý¡£´Ë½×¶ÎÈç¹û³É¹¦µÄ»°£¬¿ÉÄÜ»ñµÃÆÕͨȨÏÞ¡£²ÉÓ÷½·¨»áÓÐÓÐÏÂÃæ¼¸ÖÖ£º

1£©³£¹æÂ©¶´É¨ÃèºÍ²ÉÓÃÉÌÓÃÈí¼þ½øÐмì²é£»

2£©½áºÏʹÓÃISSÓëNessusµÈÉÌÓûòÃâ·ÑµÄɨÃ蹤¾ß½øÐЩ¶´É¨Ã裻

3£©²ÉÓÃSolarWinds¶ÔÍøÂçÉ豸µÈ½øÐÐËÑË÷·¢ÏÖ£»

4£©²ÉÓÃNikto¡¢WebinspectµÈÈí¼þ¶ÔWeb³£¼û©¶´½øÐÐɨÃ裻

5£©²ÉÓÃÈçAppDetectivÖ®ÀàµÄÉÌÓÃÈí¼þ¶ÔÊý¾Ý¿â½øÐÐɨÃè·ÖÎö£»

6£©¶ÔWebºÍÊý¾Ý¿âÓ¦ÓýøÐзÖÎö£»

7£©²ÉÓÃWebProxy¡¢SPIKEProxy¡¢Webscarab¡¢ParosProxy¡¢AbsintheµÈ¹¤¾ß½øÐзÖÎö£»

8£©ÓÃEthereal×¥°üЭÖú·ÖÎö£»

9£©ÓÃWebscan¡¢Fuzzer½øÐÐSQL×¢ÈëºÍXSS©¶´³õ²½·ÖÎö£»

10£©ÊÖ¹¤¼ì²âSQL×¢ÈëºÍXSS©¶´£»

11£©²ÉÓÃÀàËÆOScannerµÄ¹¤¾ß¶ÔÊý¾Ý¿â½øÐзÖÎö£»

12£©»ùÓÚͨÓÃÉ豸¡¢Êý¾Ý¿â¡¢²Ù×÷ϵͳºÍÓ¦ÓõĹ¥»÷£»²ÉÓø÷ÖÖ¹«¿ª¼°Ë½ÓеĻº³åÇøÒç³ö³ÌÐò´úÂ룬Ҳ²ÉÓÃÖîÈçMetasploitFramework Ö®ÀàµÄÀûÓóÌÐò¼¯ºÏ¡£

13£©»ùÓÚÓ¦ÓõĹ¥»÷¡£»ùÓÚWeb¡¢Êý¾Ý¿â»òÌØ¶¨µÄB/S»òC/S½á¹¹µÄÍøÂçÓ¦ÓóÌÐò´æÔÚµÄÈõµã½øÐй¥»÷¡£

14£©¿ÚÁî²Â½â¼¼Êõ¡£½øÐпÚÁî²Â½â¿ÉÒÔ²ÉÓà X-Scan¡¢Brutus¡¢Hydra¡¢ËÝÑ©µÈ¹¤¾ß¡£

µÚÈý²½¾ÍÊdz¢ÊÔÓÉÆÕͨȨÏÞÌáÉýΪ¹ÜÀíԱȨÏÞ£¬»ñµÃ¶ÔϵͳµÄÍêÈ«¿ØÖÆÈ¨¡£ÔÚʱ¼äÐí¿ÉµÄÇé¿öÏ£¬±ØÒªÊ±´ÓµÚÒ»½×¶ÎÖØÐ½øÐС£²ÉÓ÷½·¨

1£©¿ÚÁîÐá̽Óë¼üÅ̼Ǽ¡£Ðá̽¡¢¼üÅ̼Ǽ¡¢Ä¾ÂíµÈÈí¼þ£¬¹¦Äܼòµ¥£¬µ«ÒªÇó²»±»·À²¡¶¾Èí¼þ·¢¾õ£¬Òò´Ëͨ³£ÐèÒª×ÔÐпª·¢»òÐ޸ġ£

2£©¿ÚÁîÆÆ½â¡£ÓÐÐí¶àÖøÃûµÄ¿ÚÁîÆÆ½âÈí¼þ£¬Èç L0phtCrack¡¢John the Ripper¡¢Cain µÈ¡£

ÒÔÉÏһЩÊÇËûÃDzâÊԵIJ½Ö裬²»¹ýÎÒÃDz»Ò»¶¨Òª¹Ø×¢ÕâЩ¹ý³ÌÐԵĶ«Î÷£¬ÎÒÃÇ¿ÉÄܶÔËûÃÇ·´À¡µÄ½á¹û¸ü¹Ø×¢£¬ÒòΪ¿ÉÄܻᱬ·¢ºÜ¶à°²È«Â©¶´µÈ×ÅÎÒÃÇÈ¥ÐÞ¸´µÄ¡£

2¡¢SQL×¢Èë©¶´µÄ³öÏÖºÍÐÞ¸´

1£©SQL×¢È붨Ò壺

SQL×¢Èë¹¥»÷ÊǺڿͶÔÊý¾Ý¿â½øÐй¥»÷µÄ³£ÓÃÊÖ¶ÎÖ®Ò»¡£Ëæ×ÅB/SģʽӦÓÿª·¢µÄ·¢Õ¹£¬Ê¹ÓÃÕâÖÖģʽ±àдӦÓóÌÐòµÄ³ÌÐòÔ±Ò²Ô½À´Ô½¶à¡£µ«ÊÇÓÉÓÚ³ÌÐòÔ±µÄˮƽ¼°¾­ÑéÒ²²Î²î²»Æë£¬Ï൱´óÒ»²¿·Ö³ÌÐòÔ±ÔÚ±àд´úÂëµÄʱºò£¬Ã»ÓжÔÓû§ÊäÈëÊý¾ÝµÄºÏ·¨ÐÔ½øÐÐÅжϣ¬Ê¹Ó¦ÓóÌÐò´æÔÚ°²È«Òþ»¼¡£Óû§¿ÉÒÔÌá½»Ò»¶ÎÊý¾Ý¿â²éѯ´úÂ룬¸ù¾Ý³ÌÐò·µ»ØµÄ½á¹û£¬»ñµÃijЩËûÏëµÃÖªµÄÊý¾Ý£¬Õâ¾ÍÊÇËùνµÄSQL Injection£¬¼´SQL×¢Èë¡£

SQL×¢ÈëÓÐʱºò£¬ÔÚµØÖ·²ÎÊýÊäÈ룬»òÕ߿ؼþÊäÈë¶¼ÓпÉÄܽøÐС£ÈçÔÚÁ´½Óºó¼ÓÈ롯ºÅ£¬Ò³Ã汨´í£¬²¢±©Â¶³öÍøÕ¾µÄÎïÀí·¾¶Ôںܶàʱºò£¬ºÜ³£¼û£¬µ±È»Èç¹û¹Ø±ÕÁËWeb.ConfigµÄCustomErrorsµÄʱºò£¬¿ÉÄܾͲ»»á¿´µ½¡£

ÁíÍ⣬Sql×¢ÈëÊǺܳ£¼ûµÄÒ»¸ö¹¥»÷£¬Òò´Ë£¬Èç¹û¶ÔÒ³Ãæ²ÎÊýµÄת»»»òÕßûÓо­¹ý´¦Àí£¬Ö±½Ó°ÑÊý¾Ý¶ª¸øSqlÓï¾äÈ¥Ö´ÐУ¬ÄÇô¿ÉÄܾͻᱩ¶Ãô¸ÐµÄÐÅÏ¢¸ø¶Ô·½ÁË¡£ÈçÏÂÃæÁ½¸öÒ³Ãæ¿ÉÄܾͻᱻÌí¼Ó×¢Èë¹¥»÷£º

¢ÙHTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 name from TestD ... type='U' and status>0)>0 µÃµ½µÚÒ»¸öÓû§½¨Á¢±íµÄÃû³Æ£¬²¢ÓëÕûÊý½øÐбȽϣ¬ÏÔÈ»abc.asp¹¤×÷Òì³££¬µ«ÔÚÒì³£ÖÐÈ´¿ÉÒÔ·¢ÏÖ±íµÄÃû³Æ¡£¼ÙÉè·¢ÏֵıíÃûÊÇxyz£¬Ôò

¢ÚHTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 name from TestDB.dbo.sysobjects& ... tatus>0 and name not in('xyz'))>0 ¿ÉÒԵõ½µÚ¶þ¸öÓû§½¨Á¢µÄ±íµÄÃû³Æ£¬Í¬Àí¾Í¿ÉµÃµ½ËùÓÐÓý¨Á¢µÄ±íµÄÃû³Æ¡£

ΪÁËÆÁ±ÎΣÏÕSqlÓï¾äµÄÖ´ÐУ¬¿ÉÄÜÐèÒª¶Ô½øÐÐÑϸñµÄת»»£¬ÀýÈçÈç¹ûÊÇÕûÐε쬾ÍÑϸñ°ÑËüת»»ÎªÕûÊý£¬È»ºóÔÚ²Ù×÷£¬ÕâÑù¿ÉÒÔ±ÜÃâһЩDZÔÚµÄΣÏÕ£¬ÁíÍâ¶Ô¹¹ÔìµÄsqlÓï¾ä±ØÐë½øÐÐSql×¢ÈëÓï¾äµÄ¹ýÂË£¬ÈçÎҵĿò¼Ü£¨Winform¿ª·¢¿ò¼Ü¡¢Web¿ª·¢¿ò¼ÜµÈ£©ÀïÃæ¾ÍÄÚÖÃÁ˶ÔÕâЩÓꦵÄÓï¾äºÍ·ûºÅ½øÐÐÇå³ý¹¤×÷£¬ÓÉÓÚÊÇÔÚ»ùÀà½øÐÐÁ˹ýÂË£¬Òò´Ë»ù±¾ÉÏ×ÓÀà¶¼²»ÓùØÐÄÒ²¿ÉÒÔ±ÜÃâÁËÕâЩ³£¹æµÄ¹¥»÷ÁË¡£

/// <summary>
/// ÑéÖ¤ÊÇ·ñ´æÔÚ×¢Èë´úÂë(Ìõ¼þÓï¾ä£©
/// </summary>
/// <param name="inputData"></param>
public bool HasInjectionData(string inputData)
{
if (string.IsNullOrEmpty(inputData))
return false;
//ÀïÃæ¶¨Òå¶ñÒâ×Ö·û¼¯ºÏ
//ÑéÖ¤inputDataÊÇ·ñ°üº¬¶ñÒ⼯ºÏ
if (Regex.IsMatch(inputData.ToLower(), GetRegexString()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// »ñÈ¡ÕýÔò±í´ïʽ
/// </summary>
/// <returns></returns>
private static string GetRegexString()
{
//¹¹ÔìSQLµÄ×¢Èë¹Ø¼ü×Ö·û
string[] strBadChar =
{
//"select\\s",
//"from\\s",
"insert\\s",
"delete\\s",
"update\\s",
"drop\\s",
"truncate\\s",
"exec\\s",
"count\\(",
"declare\\s",
"asc\\(",
"mid\\(",
"char\\(",
"net user",
"xp_cmdshell",
"/add\\s",
"exec master.dbo.xp_cmdshell",
"net localgroup administrators"
};
//¹¹ÔìÕýÔò±í´ïʽ
string str_Regex = ".*(";
for (int i = 0; i < strBadChar.Length - 1; i++)
{
str_Regex += strBadChar[i] + "|";
}
str_Regex += strBadChar[strBadChar.Length - 1] + ").*";
return str_Regex;
}

ÉÏÃæµÄÓï¾äÓÃÓÚÅб𳣹æµÄSql¹¥»÷×Ö·û£¬ÎÒÔÚÊý¾Ý¿â²Ù×÷µÄ»ùÀàÀïÃæ£¬Ö»ÐèÒªÅб𼴿ɣ¬ÈçÏÂÃæµÄÒ»¸ö¸ù¾ÝÌõ¼þÓï¾ä²éÕÒÊý¾Ý¿â¼Ç¼µÄº¯Êý¡£

/// <summary>
/// ¸ù¾ÝÌõ¼þ²éѯÊý¾Ý¿â,²¢·µ»Ø¶ÔÏ󼯺Ï
/// </summary>
/// <param name="condition">²éѯµÄÌõ¼þ</param>
/// <param name="orderBy">×Ô¶¨ÒåÅÅÐòÓï¾ä£¬ÈçOrder By Name Desc£»Èç²»Ö¸¶¨£¬ÔòʹÓÃĬÈÏÅÅÐò</param>
/// <param name="paramList">²ÎÊýÁбí</param>
/// <returns>Ö¸¶¨¶ÔÏóµÄ¼¯ºÏ</returns>
public virtual List<T> Find(string condition, string orderBy, IDbDataParameter[] paramList)
{
if (HasInjectionData(condition))
{
LogTextHelper.Error(string.Format("¼ì²â³öSQL×¢ÈëµÄ¶ñÒâÊý¾Ý, {0}", condition));
throw new Exception("¼ì²â³öSQL×¢ÈëµÄ¶ñÒâÊý¾Ý");
}
...........................
}

ÒÔÉÏÖ»ÊÇ·ÀÖ¹Sql¹¥»÷µÄÒ»¸ö·½Ã棬»¹ÓоÍÊǼá³ÖʹÓòÎÊý»¯µÄ·½Ê½½øÐи³Öµ£¬ÕâÑùºÜ´ó³Ì¶ÈÉϼõÉÙ¿ÉÄÜÊܵ½SQL×¢Èë¹¥»÷¡£

Database db = CreateDatabase();
¡¡¡¡DbCommand command = db.GetSqlStringCommand(sql);
¡¡¡¡command.Parameters.AddRange(param);

3¡¢¿çÕ¾½Å±¾¹¥»÷©¶´³öÏÖºÍÐÞ¸´

¿çÕ¾½Å±¾¹¥»÷£¬ÓÖ³ÆXSS´úÂë¹¥»÷£¬Ò²ÊÇÒ»ÖÖ³£¼ûµÄ½Å±¾×¢Èë¹¥»÷¡£ÀýÈçÔÚÏÂÃæµÄ½çÃæÉÏ£¬ºÜ¶àÊäÈë¿òÊÇ¿ÉÒÔËæÒâÊäÈëÄÚÈݵģ¬ÌرðÊÇһЩÎı¾±à¼­¿òÀïÃæ£¬¿ÉÒÔÊäÈëÀýÈç<script>alert('ÕâÊÇÒ»¸öÒ³Ãæµ¯³ö¾¯¸æ');</script>ÕâÑùµÄÄÚÈÝ£¬Èç¹ûÔÚһЩÊ×Ò³³öÏֺܶàÕâÑùÄÚÈÝ£¬¶øÓÖ²»¾­¹ý´¦Àí£¬ÄÇÃ´Ò³Ãæ¾Í²»¶ÏµÄµ¯¿ò£¬¸üÓÐÉõÕߣ¬ÔÚÀïÃæÖ´ÐÐÒ»¸öÎÞÏÞÑ­»·µÄ½Å±¾º¯Êý£¬Ö±µ½Ò³ÃæºÄ¾¡×ÊԴΪֹ£¬ÀàËÆÕâÑùµÄ¹¥»÷¶¼ÊǺܳ£¼ûµÄ£¬ËùÒÔÎÒÃÇÈç¹ûÊÇÔÚÍâÍø»òÕߺÜÓÐΣÏÕµÄÍøÂçÉÏ·¢²¼³ÌÐò£¬Ò»°ã¶¼ÐèÒª¶ÔÕâЩÎÊÌâ½øÐÐÐÞ¸´¡£

XSS´úÂë¹¥»÷»¹¿ÉÄÜ»áÇÔÈ¡»ò²Ù×ݿͻ§»á»°ºÍ Cookie£¬ËüÃÇ¿ÉÄÜÓÃÓÚÄ£·ÂºÏ·¨Óû§£¬´Ó¶øÊ¹ºÚ¿ÍÄܹ»ÒÔ¸ÃÓû§Éí·Ý²é¿´»ò±ä¸üÓû§¼Ç¼ÒÔ¼°Ö´ÐÐÊÂÎñ¡£[½¨Òé´ëÊ©]ÇåÀíÓû§ÊäÈ룬²¢¹ýÂ˳ö JavaScript ´úÂë¡£ÎÒÃǽ¨ÒéÄú¹ýÂËÏÂÁÐ×Ö·û£º

[1] <>£¨¼âÀ¨ºÅ£©

[2] "£¨ÒýºÅ£©

[3] '£¨µ¥ÒýºÅ£©

[4] %£¨°Ù·Ö±È·ûºÅ£©

[5] ;£¨·ÖºÅ£©

[6] ()£¨À¨ºÅ£©

[7] &£¨& ·ûºÅ£©

[8] +£¨¼ÓºÅ£©

ΪÁ˱ÜÃâÉÏÊöµÄXSS´úÂë¹¥»÷£¬½â¾ö°ì·¨ÊÇ¿ÉÒÔʹÓÃHttpUitilityµÄHtmlEncode»òÕß×îºÃʹÓÃ΢Èí·¢²¼µÄAntiXSSLibrary½øÐд¦Àí£¬Õâ¸ö¸ü°²È«¡£

΢Èí·´¿çÕ¾½Å±¾¿â£¨AntiXSSLibrary£©ÊÇÒ»ÖÖ±àÂë¿â£¬Ö¼ÔÚ°ïÖú±£»¤¿ª·¢ÈËÔ±±£»¤ËûÃǵĻùÓÚWebµÄÓ¦Óò»±»XSS¹¥»÷¡£

ÀýÈçÉÏÃæµÄÄÚÈÝ£¬¸³Öµ¸øÒ»¸öLable¿Ø¼þ£¬²»»á³öÏÖµ¯¿òµÄ²Ù×÷¡£

µ«ÊÇ£¬ÎÒÃÇËäÈ»ÏÔʾµÄʱºòÉèÖÃÁËתÒ壬ÊäÈëÈç¹ûÒªÏÞÖÆËüÃÇÔõô°ìÄØ£¬Ò²ÊÇʹÓÃAntiXSSLibraryÀïÃæµÄHtmlSanitizationLibraryÀà¿âSanitizer.GetSafeHtmlFragment¼´¿É¡£

protected void btnPost_Click(object sender, EventArgs e)
¡¡¡¡{
¡¡¡¡this.lblName.Text = Sanitizer.GetSafeHtmlFragment(txtName.Text);
¡¡¡¡}

ÕâÑù¶ÔÓÚÌØÊâ½Å±¾µÄÄÚÈÝ£¬»á×Ô¶¯ÌÞ³ý¹ýÂË£¬¶ø²»»á¼Ç¼ÁË£¬´Ó¶ø´ïµ½ÎÒÃÇÏëÒªµÄÄ¿µÄ¡£

4¡¢IIS¶ÌÎļþ/Îļþ¼Ð©¶´³öÏÖºÍÐÞ¸´

ͨ¹ý²Â½â£¬¿ÉÄÜ»áµÃ³öÒ»Ð©ÖØÒªµÄÍøÒ³ÎļþµØÖ·£¬Èç¿ÉÄÜÔÚ/Pages/Security/Ï´æÔÚUserList.aspxºÍMenuList.aspxÎļþ¡£

[½¨Òé´ëÊ©]

1£©½ûÖ¹urlÖÐʹÓá°~¡±»òËüµÄUnicode±àÂë¡£

2£©¹Ø±ÕwindowsµÄ8.3¸ñʽ¹¦ÄÜ¡£

ÐÞ¸´¿ÉÒԲο¼ÏÂÃæµÄ×ö·¨£¬»òÕßÕÒÏà¹ØÔËά²¿ÃŽøÐд¦Àí¼´¿É¡£

http://sebug.net/vuldb/ssvid-60252
¡¡¡¡http://webscan.360.cn/vul/view/vulid/1020
¡¡¡¡http://www.bitscn.com/network/security/200607/36285.html

5¡¢ÏµÍ³Ãô¸ÐÐÅϢй¶³öÏÖºÍÐÞ¸´

Èç¹ûÒ³Ãæ¼Ì³ÐÒ»°ãµÄpage£¬¶øÃ»ÓнøÐÐSessionÅжϣ¬ÄÇô¿ÉÄܻᱻ¹¥»÷Õß»ñÈ¡µ½Ò³ÃæµØÖ·£¬½ø¶ø»ñÈ¡µ½ÀýÈçÓû§ÃûµÈÖØÒªÊý¾ÝµÄ¡£

Ò»°ã±ÜÃâÕâÖÖ·½Ê½ÊǶÔÓÚһЩÐèÒªµÇ¼²ÅÄÜ·ÃÎʵ½µÄÒ³Ãæ£¬Ò»¶¨Òª½øÐÐSessionÅжϣ¬¿ÉÄܺÜÈÝÒ׸øÂ©µôÁË¡£ÈçÎÒÔÚWeb¿ò¼ÜÀïÃæ£¬¾ÍÊǼ̳ÐÒ»¸öBasePage£¬BasePage ͳһ¶ÔÒ³Ãæ½øÐÐÒ»¸öµÇ¼Åжϡ£

public partial class UserList : BasePage
{
protected void Page_Load(object sender, EventArgs e)
{
...............
/// <summary>
/// BasePage ¼¯³É×ÔȨÏÞ»ù´¡³éÏóÀàFPage£¬ÆäËûÒ³ÃæÔò¼¯³É×ÔBasePage
/// </summary>
public class BasePage : FPage
{
/// <summary>
/// ĬÈϹ¹Ô캯Êý
/// </summary>
public BasePage()
{
this.IsFunctionControl = true;//ĬÈÏÒ³ÃæÆô¶¯È¨ÏÞÈÏÖ¤
}
/// <summary>
/// ¼ì²éÓû§ÊÇ·ñµÇ¼
/// </summary>
private void CheckLogin()
{
if (string.IsNullOrEmpty(Permission.Identity))
{
string url = string.Format("{0}/Pages/CommonPage/Login.aspx?userRequest={1}",
Request.ApplicationPath.TrimEnd('/'), HttpUtility.UrlEncode(Request.Url.ToString()));
Response.Redirect(url);
}
}
/// <summary>
/// ¸²¸ÇHasFunction·½·¨ÒÔʹȨÏÞÀàÅжÏÊÇ·ñ¾ßÓÐij¹¦ÄܵãµÄȨÏÞ
/// </summary>
/// <param name="functionId"></param>
/// <returns></returns>
protected override bool HasFunction(string functionId)
{
CheckLogin();
bool breturn = false;
try
{
breturn = Permission.HasFunction(functionId);
}
catch (Exception)
{
Helper.Alerts(this, "BasePageµ÷ÓÃȨÏÞϵͳµÄHasFunctionº¯Êý³ö´í");
}
return breturn;
}
protected override void OnInit(EventArgs e)
{
Response.Cache.SetNoStore(); //Çå³ý»º´æ
base.OnInit(e);
CheckLogin();
}

·ñÔò¿ÉÄÜ»áÊܵ½¹¥»÷£¬²¢Í¨¹ý×¥°üÈí¼þ·¢ÏÖÒ³ÃæÊý¾Ý£¬»ñµÃÒ»Ð©ÖØÒªµÄÓû§Ãû»òÕßÏà¹ØÐÅÏ¢¡£

»¹ÓÐÒ»¸öÖµµÃ×¢ÒâµÄµØ·½£¬¾ÍÊÇÒ»°ãÕâÖÖ²»ÊǺܰ²È«µÄÍøÂ磬×îºÃÒªÇóÊäÈë±È½Ï¸´ÔÓÒ»µãµÄÃÜÂë£¨Ç¿ÖÆÒªÇ󣩣¬ÀýÈç²»ÄÜÈ«²¿ÊÇÊý×ÖÃÜÂë»òÕß²»ÄÜÊÇ´¿×Ö·û£¬¶ÔλÊýÒ²ÒªÇó¶àÒ»µã£¬ÒòΪºÜ¶àÈËÊäÈë12345678,123456£¬123ÕâÑùµÄÃÜÂ룬ºÜÈÝÒ×±»²Â³öÀ´²¢µÇ¼ϵͳ£¬Ôì³É²»±ØÒªµÄËðʧ¡£

6¡¢×ܽáÐÔ½¨Òé

Õë¶ÔÉÏÃæ·¢ÏÖµÄÎÊÌ⣬Ìá³öÏÂÃæ¼¸Ìõ½¨Òé¡£

1£©ÔÚ·þÎñÆ÷ÓëÍøÂçµÄ½Ó¿Ú´¦ÅäÖ÷À»ðǽ£¬ÓÃÓÚ×è¶ÏÍâ½çÓû§¶Ô·þÎñÆ÷µÄɨÃèºÍ̽²â¡£

2£©ÏÞÖÆÍøÕ¾ºǫ́·ÃÎÊȨÏÞ£¬È磺½ûÖ¹¹«ÍøIP·ÃÎʺǫ́£»½ûÖ¹·þÎñԱʹÓÃÈõ¿ÚÁî¡£

3£©¶ÔÓû§ÊäÈëµÄÊý¾Ý½øÐÐÈ«Ãæ°²È«¼ì²é»ò¹ýÂË£¬ÓÈÆä×¢Òâ¼ì²éÊÇ·ñ°üº¬SQL »òXSSÌØÊâ×Ö·û¡£ÕâЩ¼ì²é»ò¹ýÂ˱ØÐëÔÚ·þÎñÆ÷¶ËÍê³É¡£

4£©¹Ø±ÕwindowsµÄ8.3¸ñʽ¹¦ÄÜ¡£

5£©ÏÞÖÆÃô¸ÐÒ³Ãæ»òĿ¼µÄ·ÃÎÊȨÏÞ¡£

   
2176 ´Îä¯ÀÀ       27
Ïà¹ØÎÄÕÂ

΢·þÎñ²âÊÔÖ®µ¥Ôª²âÊÔ
һƪͼÎÄ´øÄãÁ˽â°×ºÐ²âÊÔÓÃÀýÉè¼Æ·½·¨
È«ÃæµÄÖÊÁ¿±£ÕÏÌåϵ֮»Ø¹é²âÊÔ²ßÂÔ
È˹¤ÖÇÄÜ×Ô¶¯»¯²âÊÔ̽Ë÷
Ïà¹ØÎĵµ

×Ô¶¯»¯½Ó¿Ú²âÊÔʵ¼ù֮·
jenkins³ÖÐø¼¯³É²âÊÔ
ÐÔÄܲâÊÔÕï¶Ï·ÖÎöÓëÓÅ»¯
ÐÔÄܲâÊÔʵÀý
Ïà¹Ø¿Î³Ì

³ÖÐø¼¯³É²âÊÔ×î¼Ñʵ¼ù
×Ô¶¯»¯²âÊÔÌåϵ½¨ÉèÓë×î¼Ñʵ¼ù
²âÊԼܹ¹µÄ¹¹½¨ÓëÓ¦ÓÃʵ¼ù
DevOpsʱ´úµÄ²âÊÔ¼¼ÊõÓë×î¼Ñʵ¼ù
×îл¼Æ»®
DeepSeekÔÚÈí¼þ²âÊÔÓ¦ÓÃʵ¼ù 4-12[ÔÚÏß]
DeepSeek´óÄ£ÐÍÓ¦Óÿª·¢Êµ¼ù 4-19[ÔÚÏß]
UAF¼Ü¹¹ÌåϵÓëʵ¼ù 4-11[±±¾©]
AIÖÇÄÜ»¯Èí¼þ²âÊÔ·½·¨Óëʵ¼ù 5-23[ÉϺ£]
»ùÓÚ UML ºÍEA½øÐзÖÎöÉè¼Æ 4-26[±±¾©]
ÒµÎñ¼Ü¹¹Éè¼ÆÓ뽨ģ 4-18[±±¾©]

LoadRunnerÐÔÄܲâÊÔ»ù´¡
Èí¼þ²âÊÔ½á¹û·ÖÎöºÍÖÊÁ¿±¨¸æ
ÃæÏò¶ÔÏóÈí¼þ²âÊÔ¼¼ÊõÑо¿
Éè¼Æ²âÊÔÓÃÀýµÄËÄÌõÔ­Ôò
¹¦ÄܲâÊÔÖйÊÕÏÄ£Ð͵Ľ¨Á¢
ÐÔÄܲâÊÔ×ÛÊö


ÐÔÄܲâÊÔ·½·¨Óë¼¼Êõ
²âÊÔ¹ý³ÌÓëÍŶӹÜÀí
LoadRunner½øÐÐÐÔÄܲâÊÔ
WEBÓ¦ÓõÄÈí¼þ²âÊÔ
ÊÖ»úÈí¼þ²âÊÔ
°×ºÐ²âÊÔ·½·¨Óë¼¼Êõ


ij²©²ÊÐÐÒµ Êý¾Ý¿â×Ô¶¯»¯²âÊÔ
IT·þÎñÉÌ Web°²È«²âÊÔ
IT·þÎñÉÌ ×Ô¶¯»¯²âÊÔ¿ò¼Ü
º£º½¹É·Ý µ¥Ôª²âÊÔ¡¢Öع¹
²âÊÔÐèÇó·ÖÎöÓë²âÊÔÓÃÀý·ÖÎö
»¥ÁªÍøweb²âÊÔ·½·¨Óëʵ¼ù
»ùÓÚSeleniumµÄWeb×Ô¶¯»¯²âÊÔ