Research on PHP programs for non-scalable names

xiaoxiao2021-03-06  99

Research on PHP programs for non-scalable names

Author: PHP environment: WinXp Pro Apache 2.0.49 PHP 4.3.5 (Module)

There will be no extension PHP code, which is interpreted to the PHP interpreter, which is great to increase security, giving invasive people, stealing people, increasing confusing. E.g:

Http://www.msger.net/chat?username=hackfanhttp://www.msger.net/images/test.gif

From a general understanding, the two URLs above are likely to be like this:

/ | -Chat / ????? | -index.php | -Images / ????? | -Test.gif

However, Apache PHP allows Chat, images into a PHP program, and the back part as a parameter. In fact, these 2 URLs are very likely:

/ | -chat. ??? (PHP file) | -IMages | -Imagessecret /? (directory)

Http://www.msger.net/images/test.gif will hand over this PHP program. The part of this program is given below:

_Server ["Request_uri"] = / / images/test.gif_server["script_name "] = / images _server [" path_info "] ?? = /TEST.GIF _SERVER [" PHP_SELF "] ??? = /IMAGES/Test.gif

Everyone noticed that Apache has the correct judgment of _Server ["script_name"], other information is almost all of them being deceived. I don't know what everyone thinks with this nature, anyway, anyway, I think it can prevent pictures from stealing the chain.

Also, I have to find a lot of information, and finally, I will make Apache to correctly explain the PHP file without the extension:

Modify httpd.conf, find

Add: DefaultType Application / X-httpd-PHP

The last legacy problem:

How do you handle this kind of request for http://www.msger.net/images/..Test.gif? Do not send such requests with IE because IE automatically handles.

转载请注明原文地址:https://www.9cbs.com/read-104542.html

New Post(0)