?????????Web????????????WEB????????
???????????????? ???????[ 2010/9/8 10:24:27 ] ????????
????1. web??e?????????
????????????????????????????????????????Σ??????????????????????????????????豸???????????ú?????????????????????????????????
????web ????????????????????web????????????????????????????????????web?????????????????????????????????е???????????????????????web??????????????????????????????????????????????????????????web???????????????????????????? 70%??????????????????web????????
????????????????????????????????web?????????????????????????????????????????Σ??????????????????Σ???????????????????????????????web?????????????????????????ж???????????????????????????????web?????????????????????????????????????????о??????????????web???????????????owasp??wasc??????????????
????2. web??????
??????????????web????????????????????????????????????????б????????γ????????????д?????xss??sql injection?????????????????????????web???????????????????????? ??????web???????????ù??????????Χ???????????web?????????????????web????????????????????????????????????????????й???????????????
????xss??ldap injection??sql injection?????injection???????????????????????????Щ??????????????????д?????????Щ????????Щ???????????Щ??????С?????????????????????
??????????????????????????????????????????????????????????????????????????????????????ù???????????????????????????????????????????????????????С??????????????????????????????????????????????????????????owasp??????????????????
????й????????????????д?????????????????????????й?????????????????г????????????д?????????????????????????????????????????????web????????????????????????????????????????????Ч??????????????????????????е???????????????request???????????????仰?????????????????????????????????
????3. ??????
????????г????????????????????????????????????????г????????????????????????????????????????web??e????????????????????λ??????????г????web??e?????????????????????Щ?????????????????web??????????????????Щ???????飬??????????????????????web??????????web??e?????????г????????????????????????????????????????????????web??e?????????????????
?????????web??e?????г???????????в??????????????????????ibm??app scan??hp??web inspect????????????????????????????????????????web?????????п???????????????????????????????????????????в?????????http????????http????????????????????????????????????Щ?????????????????????????в????????sql injection??xss????????????????????в????????????Χ???????????????????????????????????????????????????????web????????б????????????? webscarab??paros??charles??Щ???????????ò?????????web ui?????????????????????????????????????????????????????Щ?????????????web?????????????????????
??????web???????????????????·?????????????????????з????????????????????????????????????????fortify???????????????????е?????????????ЩС??????????????????????????????????web??????????????????????????????????????????
Web????????????
1. ??????????????????web???????IE???server???DB?????y???????????в??????????????script??????????????;app server????????????????????db server??????????Щ????????????????????ο????script????????Щcase???????????????????????????????????????????????script??????????????form?????????????????????????
????2. ???????????? ???web server????sql??????????????sql????????????????????????????????sql?????????????delete all??drop database??????????????????????????????!??????л???????internet??????????????????????У??ж???????????????????web????????????????????
????3. ??????????????????????ɡ?
????WEB???????????BUG???
????1??SQL INJETION
????2??????????????????????
????3??COOKIES?????
????4?????????????
??????SQL INJETION????????
????????
???????????????????????news.asp???ò?????????????????????
????http://www.xxx.com/news.asp?id=1????????????
????????????
????rs.open "select * from news where id=" &
????cstr(request("id"))??conn??1??1
???????????в????????????URL??????????????????????
????select * from news where id=1
????????SQL????????????????????????news???id?1???????????
??????????SQL SERVER??select???????????????е???????????URL???
????http://www.xxx.com/news.asp?id=1and 1=(select count(*) from admin
????where left(name??1)=a)
????SQL???????
????select * news where id=1 and 1=(select count(*)
????from admin where left(name??1)=a)
?????????admin?????????????????name??????????????a????news????id?1???????news????id?1?????????????????????????1&P????P??棬??????棬????????????????檔?????????????????????id?????2????????????????????????????ú??????????????????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com