Shulou(Shulou.com)06/01 Report--

1: website vulnerability scanning system for black hat optimization

Use some special tools of automation technology to scan some common open source code version number system vulnerabilities, such as dede,phpweb,discuz, these old versions often have some system vulnerabilities with different management rights, and some software can immediately submit a webshell (back door of the website), and then manipulate it with a fruit knife (Chinese kitchen knife). Some can scan the password of the back account according to the system vulnerability, and then log on to the backend of the website to get webshell management rights.

2: purposeful intrusion into the website

For example, to the same industry, or hostile websites to carry out intrusion. If the purposeful penetration of the website can be regarded as a true reflection of technology.

The actual ways to invade are various. There is no need to say much about the basic technical principles mentioned above. When I was in senior high school, I published articles in China's network information security magazines, so I was sometimes asked the same problems as editors. I have found that it is more difficult to express the practical fundamentals for people who have no experience in web development, because attack and defense are always two sides of the same problem: you haven't tried stereo mobility, you can't understand the taste of giant pictures, you can't feel the horrors of zombies without laying out potatoes. To return to the main topic of the article, if you understand the difficulties of network information security, you should also be able to feel the most essential basic principle of Internet intrusion: the use of the shortcomings of Internet service managers in security measures.

The aforementioned injection, which takes time to change the code, can fix the vulnerability. And overflow attacks and so on, can upgrade the code to block. Is the user name and password too simple and clear? Change it to a complicated one and keep it in mind ok. However, this takes time and money, and if you are a manager, you should know that it is impossible to be foolproof. As a rational person, the most practical practice is to make the damage of the website hacker attack plus the cost of security enforcement lower than the cost of the invader's intrusion efforts. However, in many examples in real life, the cost of the aggressor's efforts is actually small, so many managers either feel that the website they maintain is worthless, or they do not bother to change the login password of the background management. You can understand the basic principles of black websites, first of all, you have to understand the basic principles of making websites.

You don't know what a website is, how can you figure out how to hack it?

The basic principles of hacking a website roughly include the following categories:

1. Injection, that is, according to typing some unique content, let the program flow of the website accept some unique actual operation commands. Injection is divided into front-end development injection and database query injection. The actual operation commands of front-end development injection are executed by computer browsers. For example, if I type a script to make the website, if you open the website and log in, your computer browser will send your information content to me for database query injection. Sorry, the actual operation command is also in the computer browser. But the execution is really executed by the sentence of the back-end development program flow. You originally put a text box on the web page to send a comment. As a result, I wrote a sentence to delete the database. Your back-end development program process thought that I wrote an evaluation, and prepared it in advance to store it in the database query. When the results are saved, which sentence is run and the data information of the database query is deleted? That's how your website was deleted. Naturally, the whole process is simplified, and now there are often anti-injection measures. There is no way to deceive the back-end program flow. If you still encounter the problem of hacking and tampering, you need professional website security companies to seek help, such as SINESAFE, Eagle Shield Security, Green Alliance, Tektronix and so on.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.