信息网络安全

信息网络安全 ›› 2015, Vol. 15 ›› Issue (10): 53-60.doi: 10.3969/j.issn.1671-1122.2015.10.008

• 技术研究 • 上一篇    下一篇

PHP Web应用程序上传漏洞的攻防研究

韦鲲鹏1(), 葛志辉1, 杨波2   

  1. 1.广西大学计算机与电子信息学院,广西南宁 530004
    2.中国电信集团系统集成有限责任公司广西分公司,广西南宁 530028
  • 收稿日期:2015-08-14 出版日期:2015-10-01 发布日期:2015-11-04
  • 作者简介:

    作者简介: 韦鲲鹏(1990-),男,广西,硕士研究生,主要研究方向:网络安全;葛志辉(1978-),男,河北,教授,博士,主要研究方向:无线网络、移动互联网、网络性能优化;杨波(1974-),男,广西,工程师,本科,主要研究方向:系统集成。

  • 基金资助:
    国家自然科学基金[61363067]

Research on Attack-defense of PHP Web Application Upload Vulnerability

WEI Kun-peng1(), GE Zhi-hui1, YANG Bo2   

  1. 1. College of Computer and Electronic Information, Guangxi University, Nanning Guangxi 530004, China
    2. China Telecom Group System Integration Limited Liability Company, Guangxi Branch, Nanning Guangxi 530028, China
  • Received:2015-08-14 Online:2015-10-01 Published:2015-11-04

RichHTML

1

PDF (PC)

179

摘要:

基于PHP(hypertext preprocessor)的Web应用程序是目前互联网中使用最为广泛的Web应用,一旦PHP Web应用程序出现安全漏洞,系统中存储的数据和用户的安全就受到很大的威胁。因此,PHP Web应用程序的安全漏洞受到越来越多的关注,如何对PHP Web应用程序进行安全防护已经成为当前研究的一大热点。在PHP Web安全中出现概率很大而且危害也很大的攻击有跨站脚本漏洞、SQL注入漏洞、代码执行漏洞及上传漏洞等。目前在跨站脚本漏洞、SQL注入漏洞和代码执行漏洞等领域都已经有了系统的攻防研究,特别是SQL注入漏洞更是人们关注的热点。而针对PHP Web应用程序上传漏洞却缺少系统性的攻防研究,一些防范方法也已经过时,很多攻击技术和防范方法都没有涉及。文章首先对PHP Web应用上传漏洞进行了全面详细的分析,接着给出具体详细的防护措施,最后总结出PHP Web应用程序文件上传功能的安全开发建议。

关键词: PHP Web, 漏洞, 文件上传, 攻防

Abstract:

The Web application set up by PHP (hypertext preprocessor) is the most widely use in the Internet. Once the PHP Web application with security vulnerability, the security of the data and the users of the system is greatly threaten. Because of this, the security vulnerability of PHP Web applications is getting more and more attention. How to secure the PHP Web application protection has become a hot spot in the research of the current. There is a lot of probability and the damage is great attack in the security of PHP Web. They are XSS vulnerability, SQL injection vulnerability, code execution vulnerability and upload vulnerability etc. So far, there has been a system of defensive research in XSS, SQL vulnerabilities and code execution vulnerability and other fields, the SQL injection is more popular in the top. Correspondingly, the Web PHP applications of upload vulnerability are lack of a systematic attack and defense research. Related content could appear in only one chapter in an article, some of these prevention methods are outdated, and many of the latest attack techniques and prevention methods are not involved. The article analyzes carefully on the file upload attack in PHP Web application and gives the corresponding protective measures, and sums up some security development suggestions about file-upload capabilities in PHP Web application.

Key words: PHP Web, vulnerability, file upload, attack-defense

中图分类号: