[1]郝子希,王志军,刘振宇.文件上传漏洞的攻击方法与防御措施研究[J].计算机技术与发展,2019,29(02):129-134.[doi:10.3969/j.issn.1673-629X.2019.02.027]
 HAO Zixi,WANG Zhijun,LIU Zhenyu.Research on Attack Method and Defensive Measure of File Upload Vulnerabilities[J].,2019,29(02):129-134.[doi:10.3969/j.issn.1673-629X.2019.02.027]
点击复制

文件上传漏洞的攻击方法与防御措施研究()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
29
期数:
2019年02期
页码:
129-134
栏目:
安全与防范
出版日期:
2019-02-10

文章信息/Info

Title:
Research on Attack Method and Defensive Measure of File Upload Vulnerabilities
文章编号:
1673-629X(2019)02-0129-06
作者:
郝子希12 王志军1 刘振宇2
1.东华大学 计算机科学与技术学院,上海 200050;2.上海计算机软件技术开发中心 上海市计算机软件评测重点实验室,上海 201112
Author(s):
HAO Zi-xi12 WANG Zhi-jun1 LIU Zhen-yu2
1.School of Computer Science and Technology,Donghua University,Shanghai 200050,China;2.Key Laboratory of Computer Software Testing & Evaluating of Shanghai,Shanghai Computer Software Technology Development Center,Shanghai 201112,China
关键词:
渗透测试文件上传网络安全网络攻击Web 漏洞
Keywords:
penetration testfile uploadingnetwork securitynetwork attackWeb vulnerability
分类号:
TP309
DOI:
10.3969/j.issn.1673-629X.2019.02.027
摘要:
简述了当今社会信息安全的重要性,说明了渗透测试技术中文件上传漏洞的基本原理,列举了文件上传漏洞能够造成的危害,对文件上传漏洞进行详细分析。由于文件上传漏洞一般伴随着服务器解析漏洞出现,结合三种不同的 Web应用容器(IIS、Apache、PHP)的解析漏洞,解释文件上传漏洞与服务器解析漏洞之间的关系,详细说明文件上传漏洞出现的原因;从 Web 站点的两种上传文件验证方式—客户端验证和服务器端验证阐述了相应的攻击技巧,通过对五种攻击方法(绕过客户端验证、绕过黑名单与白名单验证、绕过 MIME 验证、绕过目录验证和截断上传攻击)的具体实验描述了对文件上传漏洞的攻击过程,并给出了实验代码;最后针对实验中的攻击方法,提出了四类文件上传漏洞的有效防御措施,并对全文进行总结,对未来提出展望。
Abstract:
We briefly describe the importance of social network security in today’s society,explain the basic principle of file upload vul-nerability in penetration testing technology,list the hazards caused by file upload vulnerability,and analyze the file upload vulnerability in detail. Because the file upload vulnerability generally accompanies server parsing vulnerability,combined with the parsing vulnerabilities of three different Web application containers (IIS,Apache and PHP),we explain the relationship between file upload vulnerability and server parsing vulnerability,and the reasons why the vulnerability can be caused. Based on two ways to verify the uploaded files from Web sites:client authentication and server-side authentication,we illustrate the attack techniques,and based on five attack methods (bypassing client authentication,bypassing blacklists and whitelisting,bypassing MIME verification,bypassing directory verification,and truncating upload attack),we describe the process of attack on file upload vulnerability and give the experimental code. Finally,aiming at the attack methods in the experiment,we put forward four kinds of defensive measures for file upload vulnerability,summarizing full text, prospecting for future.

相似文献/References:

[1]王强,蔡皖东,姚烨.基于渗透测试的跨站脚本漏洞检测方法研究[J].计算机技术与发展,2013,(03):147.
 WANG Qiang,CAI Wan-dong,YAO Ye.Research on Cross-site Scripting Vulnerability Detection Method Based on Penetration Testing[J].,2013,(02):147.

更新日期/Last Update: 2019-02-10