Journal of Information Security Research ›› 2020, Vol. 6 ›› Issue (2): 151-158.
Previous Articles Next Articles
Received:
Online:
Published:
黄志华1,王子凯1,徐玉华1,李云龙1,孙伟2
通讯作者:
作者简介:
Abstract: File upload vulnerability is a common vulnerability type in Web application system. An attacker uses the inadequate defect of Web application system to detect uploaded files and upload executable scripts. The attacker can use this vulnerability to upload the Website backdoor (WebShell) to the Web application server, and then gain the privileges of the Web site by accessing it. The attacker can steal data from Web application server and penetrate Web application server further. This paper studies and analyzes file upload and common means of detection and defense, summarizes and analyzes the means of attacks of upload vulnerabilities, and in view of file upload vulnerabilities in DVWA vulnerability environment, uses the inductive attack method to test in practice. Finally, summarizes the defense methods of file upload attack and makes future prospects.
Key words: file upload vulnerability, Website backdoor, upload attack detection, DVWA vulnerability environment, defense method
摘要: 文件上传漏洞是Web应用系统中一种常见的漏洞类型,攻击者利用Web应用系统对上传文件检测的不充分缺陷,实施可执行脚本的上传.攻击者利用该漏洞将网站后门(WebShell)上传到Web应用服务器,进而通过访问获取Web站点的权限,可以对Web应用服务器中的数据进行窃取以及进一步对Web应用服务器的渗透.研究分析了文件上传以及常见的检测防御手段,对上传漏洞攻击手段进行归纳分析,并针对DVWA漏洞环境中的文件上传漏洞,运用归纳的攻击方法进行了实践检验,最后对文件上传攻击防御方法进行归纳并作未来展望.
关键词: 文件上传漏洞, 网站后门, 上传攻击检测, DVWA漏洞环境, 防御方法
黄志华 王子凯 徐玉华 李云龙 孙伟. 文件上传漏洞研究与实践[J]. 信息安全研究, 2020, 6(2): 151-158.
0 / / Recommend
Add to citation manager EndNote|Ris|BibTeX
URL: http://www.sicris.cn/EN/
http://www.sicris.cn/EN/Y2020/V6/I2/151