The previous words: Don’t think too much about the "hackers" who hang black pages and hang horses. Those who are powerful are disdainful of these. This sentence is enough.
There are so many hacker websites nowadays, no matter where you are willing to learn, you can learn a few tricks. I have seen other people’s signatures: Aunt Wang who sells vegetables is a hacker, and Uncle Li who roasts sweet potatoes is also a hacker. The owner of the adult shop opposite, Dig Day, is still a hacker-_-~!...There are so many hackers!! ! According to incomplete statistics, at least thousands of websites are invaded and tampered with every day. Once in a chat in a certain group, a high school student hacked into the intranet server of the local Civil Affairs Bureau to view the information in order to find the information of a girl she met. Great. The process is estimated to be quite exciting. It is said that as long as there is a computer, there will be rivers and lakes. There is always a reason to be hacked...
How to prevent the website from being black?
Let's start from the standpoint.
It is very important to choose the server first. Because even if your website program is safer and the server is compromised, your website will become a plaything. Perhaps in the eyes of friends, there is an idea that a secure server will be more expensive. In fact, it is not the case. The capital investment can only be said to be the strengthening of software and hardware, which has improved the network speed or load capacity. However, the security of the server can be configured manually. As long as the network management settings are appropriate, the server can be much more secure. In some previous practices, it was found that many government schools were poorly set up. It seems to be completed as long as you can browse the website with iis. I used to hear from a friend of the government school website, as long as you get a webshell, basically the server can be taken. This sentence can explain a phenomenon, many school government website administrators obviously do not pay enough attention to website security. Although your website is just publishing news articles, but if an attacker is invaded, his target is not necessarily a simple website, but a bridge to the intranet server.
Let's talk about our personal website. Due to financial considerations, personal websites are basically hosted on virtual servers. Server security Our personal webmasters can't do much work, so it is necessary to choose a better, safe space. The same is a virtual host, and I have encountered relatively safe ones. Eliminates some common security risks that leak information due to improper configuration of directory permissions. At least it won't be tricked by those "hackers" who mess up black pages.
Let's talk about the process of making a website. Before that, let's learn about some commonly used attack methods.
1. Dangerous upload vulnerability
This should be divided into three categories:
One is that there is no identity verification in the uploading place, and the Trojan can be uploaded directly.
One type can be uploaded just by registering an account, and then the uploading place is not properly filtered.
One type is uploaded by the administrator's background authentication.
Of course, some uploads can upload script Trojans directly, and some can upload script Trojans after certain processing. In any case, many attackers take the authority of the website through uploading.
2. Inject vulnerabilities
The injection vulnerability exploit method and permissions of various scripts are different. Dangerous ones can directly threaten server system permissions. Ordinary injection can reveal the account information in the database. In order to obtain the administrator's password or other useful information. If the authority is high, you can directly write to the webshell, read the server's directory file, or directly add the management account, execute the replacement service and other attacks.
3. Transfer injection, also called cookie transfer injection
Originally, this should belong to the category upstairs, but I listed it alone. Some programs themselves or additional anti-injection programs just filter the post or get of the parameters. The cookie is ignored. Therefore, the attacker can also achieve the purpose of injection as long as it is transferred.
4. Database writing Trojan
That is to say, some programmers may think that the mdb database is easy to download, so they replaced it with asp or asa. But I did not expect that such a change would bring greater security risks. Both formats can be downloaded locally with Thunder. What's more frightening is that the attacker can submit a one-sentence Trojan in some ways, insert it into the database, and then use the tool to connect to get permission.
5. Database backup
This is actually a function in the backend of many websites. The original intention is to allow administrators to back up the database. But the attacker uses this to change the format of the Trojan horse with the backdoor uploaded to the real Trojan horse format. To get permission. Remember that there was no management certification on the page of a website system database backup before, and the harm would be even greater. Although some website database backups have limitations, they are broken by some special circumstances. For example, the attacker can backup formats such as asp, asa, cer, htr, cdx, php, jsp, aspx, ashx,
Asmx also has several .asp;x.jpg.asa;x.jpg.php;x.jpg that can be used in the iis6.0 environment. Many asp programs written by programmers only filter and parse the asp format, and ignore Other analysis such as php. There is the analysis of the folder name of the backup directory named zzfhw.asp zzfhw.asa. If none of the above is available, the attacker may also back up the conn.asp file in the website directory to zzfhw.txt to view the database path, and may use the method of writing a Trojan horse to the database. Of course, the methods of attack are endless. Only through everyone's exchanges, we can learn more.
6. Disclosure of management account password
Maybe everyone will say that the above attack method needs to be done under the premise of having a management account. Here I will talk about some common management account password leaks.
First: the universal password'or'='or'. There are more ways to write it. The principle of this can be searched on my website. Just use this as the administrator's account password to directly enter the background. There are still many websites that can still enter.
Second: weak passwords. For example, your password is admin/admin888/123456/5201314, etc. This is easy to guess.
Third: the default password. There is a default background password and a default background database. If the attacker knows which source code is used to build your website, he will go to the next set of the same source code to see if the default database can be downloaded and the background password has not been changed.
Fourth: the general personal password of the webmaster. Many people just use one password on the Internet. No matter which part of your password is leaked, the attacker may use this password to test your website backend, your email, your QQ number, your ftp, and your registered accounts elsewhere. . . This problem is a bit serious and involves social engineering.
7. Editor
The two main editors are ewebeditor and fckeditor. The low version of ewebeditor is indeed vulnerable. You can construct the code and upload the Trojan directly. But the high version on the market has not said that there are any loopholes. But the most evil thing is that everyone forgets the back-end password and database path of the ewebeditor when using it, which leads to the intrusion of the website. Some modified versions of fckeditor can be uploaded directly. But since the ";" loophole appeared, the intruder has been crazy. Some versions failed to be transmitted once, and succeeded in transmitting it again. Many big websites have been implicated.
8. ftp weak password
As mentioned above, it is possible that you have used a universal password. There is also a weak password. For example, your website is www.zzfhw.com. Then the attacker may use zzfhw as the username (it turns out that many virtual hosts are configured this way), and then generate a series of weak passwords, such as zzfhw123/zzfhw123456/zzfhw888/zzfhw520/123456/888888/zzfhw.com/zzfhwftp, etc. , Because it can be scanned with related tools, so it can generate a lot of passwords commonly used by ordinary people to test your ftp password. Scientific research proves that this method is also more harmful.
9.0day
Many people now use some mainstream programs. For example, Dongwang, discuz forum, phpwind, Dongyi, Xinyun, etc., which have a lot of users' source code, will also bring you "surprise" from time to time. For this article, please pay more attention to the article on the latest program vulnerabilities of the webmaster. Patch the program as soon as possible.
10. Stand by
It is to take down other websites on the same server as you, and then get more information through some xx methods. If the permissions are large enough, throw a Trojan horse directly to your directory; if the permissions are normal and you can’t throw the Trojan horse into it, read your administrator password or other sensitive information for further intrusion; if the permissions are relatively weak, the attacker will try to sniff.
11. There are some things that cannot be ignored
Explosive library, listing of directories, arbitrary download vulnerabilities, including file vulnerabilities, iis write vulnerabilities, cookie spoofing, cross-site xss, and many more. If you are interested, you can search for these terms and methods on my website.
Well, these basic methods are all finished. We understand the methods of these attacks. Then it can be broken for each. Keep your website safe. For example, the commonly used background is admin.manage.system. We can change it to something that is not common and will not be guessed. Don't write any background login link on the program. When selecting the program, check whether there are loopholes through Baidu and Google and whether it is the latest version. If you still love your website, you can test your website according to some of the methods listed above to prevent problems before they happen. Don't wait until the black pages hang up high.
The following words: Personally, the current website security is generally poor, mainly because everyone is not aware of it. Although I can't give you how and how powerful the technique is, as long as it can reduce the chance of the website being invaded, it will be ok. Security is a process, not a result. It has been hacked, and we need to find out why. I hope everyone's website gets better and better. If there is something wrong with the above article, please leave a message to correct me.
If you want to better improve your programming ability, learn C language and C++ programming! Overtaking in a curve, one step faster!
[ C language C++ learning penguin circle ], share (source code, project actual combat video, project notes, basic introductory tutorial)
Welcome partners who change careers and learn programming, use more information to learn and grow faster than thinking about it yourself!
Programming learning books:
Programming learning video:
