PHP的网站主要攻击方式有哪些?-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

PHP的网站主要攻击方式有哪些?

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 20, 2016 pm 12:36 PM

1、命令注入(Command Injection)

2、eval注入(Eval Injection)

3、客户端脚本攻击(Script Insertion)

4、跨网站脚本攻击(Cross Site Scripting, XSS)

5、SQL注入攻击(SQL injection)

6、跨网站请求伪造攻击(Cross Site Request Forgeries, CSRF)

7、Session 会话劫持(Session Hijacking)

8、Session 固定攻击(Session Fixation)

9、HTTP响应拆分攻击(HTTP Response Splitting)

10、文件上传漏洞(File Upload Attack)

11、目录穿越漏洞(Directory Traversal)

12、远程文件包含攻击(Remote Inclusion)

13、动态函数注入攻击(Dynamic Variable Evaluation)

14、URL攻击(URL attack)

15、表单提交欺骗攻击(Spoofed Form Submissions)

16、HTTP请求欺骗攻击(Spoofed HTTP Requests)

以后的每期连载，会逐个介绍这些漏洞的原理和防御方法。

几个重要的php.ini选项

Register Globals

php>=4.2.0，php.ini的register_globals选项的默认值预设为Off，当register_globals的设定为On时，程序可以接收来自服务器的各种环境变量，包括表单提交的变量，而且由于PHP不必事先初始化变量的值，从而导致很大的安全隐患。

例1:

//check_admin()用于检查当前用户权限，如果是admin设置$is_admin变量为true，然后下面判断此变量是否为true，然后执行管理的一些操作

//ex1.php

if (check_admin())
{
$is_admin = true;
}
if ($is_admin)
{
do_something();
}
?>

这一段代码没有将$is_admin事先初始化为Flase，如果register_globals为On，那么我们直接提交 http://www.sectop.com/ex1.php?is_admin=true,就可以绕过check_admin()的验证

例2:

//ex2.php

if (isset($_SESSION["username"]))
{
do_something();
}
else
{
echo “您尚未登录!”;
}
?>

当register_globals=On时，我们提交=dodo]http://www.sectop.com/ex2.php?_SESSION[username]=dodo，就具有了此用户的权限

所以不管register_globals为什么，我们都要记住，对于任何传输的数据要经过仔细验证，变量要初始化

safe_mode

安全模式，PHP用来限制文档的存取、限制环境变量的存取，控制外部程序的执行。启用安全模式必须设置php.ini中的safe_mode = On

1、限制文件存取

safe_mode_include_dir = “/path1:/path2:/path3″

不同的文件夹用冒号隔开

2、限制环境变量的存取

safe_mode_allowed_env_vars = string

指定PHP程序可以改变的环境变量的前缀，如:safe_mode_allowed_env_vars = PHP_ ,当这个选项的值为空时，那么php可以改变任何环境变量

safe_mode_protected_env_vars = string

用来指定php程序不可改变的环境变量的前缀

3、限制外部程序的执行

safe_mode_exec_dir = string

此选项指定的文件夹路径影响system、exec、popen、passthru，不影响shell_exec和“` `”。

disable_functions = string

不同的函数名称用逗号隔开，此选项不受安全模式影响

magic quotes

用来让php程序的输入信息自动转义，所有的单引号(“’”)，双引号(“””)，反斜杠(“\”)和空字符(NULL)，都自动被加上反斜杠进行转义

magic_quotes_gpc = On 用来设置magic quotes 为On，它会影响HTTP请求的数据(GET、POST、Cookies)

程序员也可以使用addslashes来转义提交的HTTP请求数据，或者用stripslashes来删除转义

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

The Continued Use of PHP: Reasons for Its EnduranceApr 19, 2025 am 12:23 AM

What’s still popular is the ease of use, flexibility and a strong ecosystem. 1) Ease of use and simple syntax make it the first choice for beginners. 2) Closely integrated with web development, excellent interaction with HTTP requests and database. 3) The huge ecosystem provides a wealth of tools and libraries. 4) Active community and open source nature adapts them to new needs and technology trends.

PHP and Python: Exploring Their Similarities and DifferencesApr 19, 2025 am 12:21 AM

PHP and Python are both high-level programming languages that are widely used in web development, data processing and automation tasks. 1.PHP is often used to build dynamic websites and content management systems, while Python is often used to build web frameworks and data science. 2.PHP uses echo to output content, Python uses print. 3. Both support object-oriented programming, but the syntax and keywords are different. 4. PHP supports weak type conversion, while Python is more stringent. 5. PHP performance optimization includes using OPcache and asynchronous programming, while Python uses cProfile and asynchronous programming.

PHP and Python: Different Paradigms ExplainedApr 18, 2025 am 12:26 AM

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

PHP and Python: A Deep Dive into Their HistoryApr 18, 2025 am 12:25 AM

PHP originated in 1994 and was developed by RasmusLerdorf. It was originally used to track website visitors and gradually evolved into a server-side scripting language and was widely used in web development. Python was developed by Guidovan Rossum in the late 1980s and was first released in 1991. It emphasizes code readability and simplicity, and is suitable for scientific computing, data analysis and other fields.

Choosing Between PHP and Python: A GuideApr 18, 2025 am 12:24 AM

PHP is suitable for web development and rapid prototyping, and Python is suitable for data science and machine learning. 1.PHP is used for dynamic web development, with simple syntax and suitable for rapid development. 2. Python has concise syntax, is suitable for multiple fields, and has a strong library ecosystem.

PHP and Frameworks: Modernizing the LanguageApr 18, 2025 am 12:14 AM

PHP remains important in the modernization process because it supports a large number of websites and applications and adapts to development needs through frameworks. 1.PHP7 improves performance and introduces new features. 2. Modern frameworks such as Laravel, Symfony and CodeIgniter simplify development and improve code quality. 3. Performance optimization and best practices further improve application efficiency.

PHP's Impact: Web Development and BeyondApr 18, 2025 am 12:10 AM

PHPhassignificantlyimpactedwebdevelopmentandextendsbeyondit.1)ItpowersmajorplatformslikeWordPressandexcelsindatabaseinteractions.2)PHP'sadaptabilityallowsittoscaleforlargeapplicationsusingframeworkslikeLaravel.3)Beyondweb,PHPisusedincommand-linescrip

How does PHP type hinting work, including scalar types, return types, union types, and nullable types?Apr 17, 2025 am 12:25 AM

PHP type prompts to improve code quality and readability. 1) Scalar type tips: Since PHP7.0, basic data types are allowed to be specified in function parameters, such as int, float, etc. 2) Return type prompt: Ensure the consistency of the function return value type. 3) Union type prompt: Since PHP8.0, multiple types are allowed to be specified in function parameters or return values. 4) Nullable type prompt: Allows to include null values and handle functions that may return null values.

See all articles