In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
I. execution of web commands
What is command execution:
A command execution vulnerability means that gongji users can execute system commands at will. It is one of the high-risk vulnerabilities that any scripting language can call operating system commands.
Applications sometimes need to call some functions that execute system commands, such as system, exec, shell_exec, passthru, popen, proc_popen and so on in PHP. When the user can control the parameters in these functions, the malicious system commands can be changed.
Spliced into normal commands, resulting in command execution attack ji, this is the command execution loophole.
For example: ping + $variable target
The value passed in by target is 127.0.0.1 & & uname-r
How to prevent: 1. Functions such as disabling some commands such as exec in php. Php programs run on non-root users 3. Other waf firewalls
II. Web file execution
Web applications usually have the function of uploading files, publishing pictures and resumes in doc format on recruitment websites. As long as web applications allow uploads, there may be file upload vulnerabilities.
Client verification can bypass modifying the file name suffix or mime type by grabbing the packet, and then resend it.
III. XSS loopholes
What is XSS?
What is the harm of XSS?
Three types of XSS
XSS:
XSS, also known as CSS (Cross Site Scripting), is one of the common Web vulnerabilities in cross-site scripting gongj,i, ranking third in OWASP TOP 10 in 2013.
XSS means that users embed client script, usually JS malicious code, in a web page. When a user visits a web page with embedded malicious code using a browser, it will be executed on the user's browser.
Harm:
Phishing, stealing user Cookies, flashing advertising traffic, having the ability to change page information, delete articles, obtain client information, spread worms
Three types of XSS:
Reflective type
Storage type
Dom type
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
