黑客攻击。他们想要什么? [英] Hacker attack. What do they want?
问题描述
我的网站允许上传图片。出于这个原因,我创建了一个
目录,其中包含drwxrwxrwx-permission。即每个人都可以在该目录中写下
。我明白这不是保存,因为每个人都可以上传到这个目录中的一些脚本会破坏我的文件
系统或存储一些信息。为了让事情变得更好我将
放在那里.htaccess文件:
php_flag引擎关闭
IndexIgnore *
因此,这意味着无法在此目录中执行php脚本。但是
shell脚本怎么样?我怎么能阻止在这个目录中执行
shell脚本?
将文件上传到目录的我的php脚本只需要文件
其中包含* .jpg扩展名。今天我发现在目录中我有一个文件(名为854.jpg),这是一个子目录!他们是怎么做的?b $ b做了吗?好吧,我明白,jpg扩展不保证
文件是jpg图像,但我不知道这个文件可以是一个
目录!
问题是子目录854.jpg没有提到.htaccess文件的上述
。所以目录的所有者可以在那里做任何想要的b $ b。我怎样才能解决这个问题?
Hi,
my site allows to upload images. For that reasons I have created a
directory which have "drwxrwxrwx"-permission. I.e. everybody can write
in that directory. I understand that it is not save, because everybody
can upload to this directory some scripts which would destroy my file
system or store some information. To make things a little bit better I
put there the following .htaccess file:
php_flag engine off
IndexIgnore *
So it means that php-scripts cannot be executed in this directory. But
what about the shell scripts? How could I prevent an execution of the
shell script in this directory?
My php script which upload files to the directory takes only files
which have *.jpg extension. Today I found out that in the directory I
have a file (called 854.jpg) which is an sub-directory! How did they
did it? Well I understand, that jpg extension does not guarantee the
file is an jpg-image, but I did not know that this file can be a
directory!
The problem is that subdirectory "854.jpg" does not have the above
mentioned .htaccess file. So the owner of the directory can make there
whatever it wants. How can I solve this problem?
推荐答案
我的网站允许上传图片。出于这个原因,我创建了一个
my site allows to upload images. For that reasons I have created a
目录,其中包含drwxrwxrwx-permission。即每个人都可以在该目录中写下
。
directory which have "drwxrwxrwx"-permission. I.e. everybody can write
in that directory.
很好,但是除了网络服务器用户之外还有谁写在该目录中?
Nice, but who else writes in that directory than the web server user?
我明白这是不安全的,因为每个人都可以上传到这个目录中的一些脚本会破坏我的文件
系统或存储一些信息。为了让事情变得更好我将
放在那里.htaccess文件:
php_flag引擎关闭
IndexIgnore *
I understand that it is not safe, because everybody
can upload to this directory some scripts which would destroy my file
system or store some information. To make things a little bit better I
put there the following .htaccess file:
php_flag engine off
IndexIgnore *
当你将临时文件移动到最终位置时,你(网络服务器)
可以给它任何你想要的名字。目录是
世界可写且具有.htaccess文件的事实应响铃:如果你保留文件名,那么任何人都可以上传.htaccess文件...
When you move the temp file to the final location, YOU (the webserver)
can give it any name YOU want. The fact that the directory is
world-writeable AND has an .htaccess file should ring a bell: If you
keep the file names, anyone can upload an .htaccess file...
因此,这意味着php-scripts无法在此目录中执行。
So it means that php-scripts cannot be executed in this directory.
鉴于上述情况,你确定吗?
Given the above, are you sure?
但是
什么关于shell脚本?我怎么能阻止在这个目录中执行
shell脚本?
But
what about the shell scripts? How could I prevent an execution of the
shell script in this directory?
不使它们可执行。如果文件是可执行文件,你可以chmod该文件。
By not making them executable. You can chmod the file if it is executable.
我上传文件到目录的php脚本只需要文件
哪个有*。 jpg扩展。今天我发现在目录中我有一个文件(名为854.jpg),这是一个子目录!他们是怎么做的?b $ b做了吗?好吧,我明白,jpg扩展不保证
文件是jpg图像,但我不知道这个文件可以是一个
目录!
问题是子目录854.jpg没有提到.htaccess文件的上述
。所以目录的所有者可以在那里做任何想要的b $ b。如何解决这个问题?
My php script which upload files to the directory takes only files
which have *.jpg extension. Today I found out that in the directory I
have a file (called 854.jpg) which is an sub-directory! How did they
did it? Well I understand, that jpg extension does not guarantee the
file is an jpg-image, but I did not know that this file can be a
directory!
The problem is that subdirectory "854.jpg" does not have the above
mentioned .htaccess file. So the owner of the directory can make there
whatever it wants. How can I solve this problem?
将.htaccess文件中出现的内容放在正常的
配置中。 .htaccess文件没有理由,除了缺少对系统维护者的访问权限。
此外,你可以检查它是否是一个目录上传。
祝你好运!
By putting the things that appear in the .htaccess file in the normal
config. There is really no reason for .htaccess files, other than lack
of access to system maintainers.
Furthermore, you can check if it is a directory upon upload.
Good luck!
2月23日晚上11点21分,Fro< showandbesh ... @ gmail .comwrote:
On Feb 23, 11:21 pm, Fro <showandbesh...@gmail.comwrote:
我的网站允许上传图片。出于这个原因,我创建了一个
目录,其中包含drwxrwxrwx-permission。即每个人都可以在该目录中写下
。我明白这不是保存,因为每个人都可以上传到这个目录中的一些脚本会破坏我的文件
系统或存储一些信息。为了让事情变得更好我将
放在那里.htaccess文件:
php_flag引擎关闭
IndexIgnore *
因此,这意味着无法在此目录中执行php脚本。但是
shell脚本怎么样?我怎么能阻止在这个目录中执行
shell脚本?
将文件上传到目录的我的php脚本只需要文件
其中包含* .jpg扩展名。今天我发现在目录中我有一个文件(名为854.jpg),这是一个子目录!他们是怎么做的?b $ b做了吗?好吧,我明白,jpg扩展不保证
文件是jpg图像,但我不知道这个文件可以是一个
目录!
问题是子目录854.jpg没有提到.htaccess文件的上述
。所以目录的所有者可以在那里做任何想要的b $ b。我怎么解决这个问题?
Hi,
my site allows to upload images. For that reasons I have created a
directory which have "drwxrwxrwx"-permission. I.e. everybody can write
in that directory. I understand that it is not save, because everybody
can upload to this directory some scripts which would destroy my file
system or store some information. To make things a little bit better I
put there the following .htaccess file:
php_flag engine off
IndexIgnore *
So it means that php-scripts cannot be executed in this directory. But
what about the shell scripts? How could I prevent an execution of the
shell script in this directory?
My php script which upload files to the directory takes only files
which have *.jpg extension. Today I found out that in the directory I
have a file (called 854.jpg) which is an sub-directory! How did they
did it? Well I understand, that jpg extension does not guarantee the
file is an jpg-image, but I did not know that this file can be a
directory!
The problem is that subdirectory "854.jpg" does not have the above
mentioned .htaccess file. So the owner of the directory can make there
whatever it wants. How can I solve this problem?
您必须在上传
之前向用户提供写入和执行权限,并将chmod更改为644或744或之后的任何内容
上传。如果您能够记录这些攻击者的IP地址,那么你应该禁止这些ip'连接。此外,出于安全原因,禁用
一些php函数,如exec(),ftp等。
You have to give write and execute privilages to users just before the
upload and change chmod to 644 or 744 or whatever immediately after
upload. If you able to logged these attackers ip addresses you should
ban these ip''s to connect. Furthermore for security reasons disable
some php functions such as exec(), ftp, etc.
Fro写道:
Fro wrote:
我的网站允许上传图片。出于这个原因,我创建了一个
目录,其中包含drwxrwxrwx-permission。即每个人都可以在该目录中写下
。
Hi,
my site allows to upload images. For that reasons I have created a
directory which have "drwxrwxrwx"-permission. I.e. everybody can write
in that directory.
我相信你可以使用drw-rw-rw-权限。离开
执行权限会阻止创建子目录。
I do believe you could use drw-rw-rw- permissions. Leaving off
the execute permission would prevent creating a subdirectory.
这篇关于黑客攻击。他们想要什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
