{"id":57572,"date":"2018-10-26T09:00:41","date_gmt":"2018-10-26T01:00:41","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=57572"},"modified":"2018-10-16T14:40:37","modified_gmt":"2018-10-16T06:40:37","slug":"%e4%bc%81%e6%a5%ad%e5%b8%b8%e9%81%87%e5%88%b0%e7%9a%84%e5%9b%9b%e7%a8%ae%e7%b6%b2%e9%a0%81%e6%b3%a8%e5%85%a5%ef%bc%88web-injection%ef%bc%89%e6%94%bb%e6%93%8a","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=57572","title":{"rendered":"\u4f01\u696d\u5e38\u9047\u5230\u7684\u56db\u7a2e\u7db2\u9801\u6ce8\u5165\uff08Web Injection\uff09\u653b\u64ca"},"content":{"rendered":"

\u7db2\u9801\u6ce8\u5165\uff08Web Injection\uff09\u662f\u6bcf\u4f4d\u7a0b\u5f0f\u8a2d\u8a08\u5e2b\u3001\u958b\u767c\u8005\u548c\u8cc7\u8a0a\u5b89\u5168\uff08InfoSec\uff09\u5c08\u5bb6\u6240\u982d\u75bc\u7684\u554f\u984c\uff0c\u4e5f\u662f\u7db2\u8def\u72af\u7f6a\u5de5\u5177\u5305\u5167\u5e38\u5099\u7684\u5de5\u5177\u3002\u7279\u5225\u662f\u8de8\u7ad9\u8173\u672c\u3001\u547d\u4ee4\u6ce8\u5165\u3001SQL\u6ce8\u5165\u548cXML\u6ce8\u5165\u90fd\u662f\u7db2\u7ad9\u548c\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u7d93\u5e38\u906d\u9047\u5230\u7684\u653b\u64ca\uff0c\u56e0\u70ba\u9019\u4e9b\u653b\u64ca\u53ef\u4ee5\u900f\u904e\u591a\u7a2e\u65b9\u5f0f\u57f7\u884c\u3002\u9632\u8b77\u65b9\u6848\u7684\u8907\u96dc\u6027\u4e5f\u589e\u52a0\u4e86\u9632\u79a6\u7684\u56f0\u96e3\u5ea6\u3002<\/p>\n

\u56db\u7a2e\u7db2\u9801\u6ce8\u5165\u653b\u64ca<\/h3>\n

\u4fdd\u8b77\u5e73\u53f0\u4e0d\u8b93\u500b\u4eba\u53ca\u8ca1\u52d9\u8cc7\u6599\u5931\u5b88\u662f\u4f01\u696d\u5728\u71df\u904b\u3001\u5546\u8b7d\u548c\u5229\u6f64\u65b9\u9762\u91cd\u8981\u7684\u4e00\u74b0\u3002\u4ee5\u4e0b\u662f\u8cc7\u5b89\u4eba\u54e1\u7d93\u5e38\u6703\u9047\u5230\u7684\u56db\u7a2e\u7db2\u9801\u6ce8\u5165\u653b\u64ca\uff1a<\/p>\n

\"\"<\/a><\/p>\n

    \n
  1. SQL<\/em><\/strong>\u6ce8\u5165\uff08SQL Injection, SQLi<\/em><\/strong>\uff09<\/em><\/strong><\/li>\n<\/ol>\n

    SQL\u6ce8\u5165<\/a>\u53ef\u4ee5\u7528\u4f86\u5165\u4fb5\u4f7f\u7528\u8cc7\u6599\u5eab\u7684\u8edf\u9ad4\uff0c\u88ab\u958b\u653e\u7db2\u8def\u8edf\u9ad4\u5b89\u5168\u8a08\u756b\uff08OWASP\uff09\u8996\u70ba\u4fb5\u5165\u7db2\u7ad9\u53caSQL\u8cc7\u6599\u5eab\u6700\u5e38\u898b\u7684\u6280\u8853\u4e4b\u4e00\u3002SQLi\u5c07\u60e1\u610fSQL\u8a9e\u6cd5\u63d2\u5165\u8f38\u5165\u5b57\u4e32\uff08\u4f5c\u70ba\u6307\u4ee4\u6216\u67e5\u8a62\u7684\u4e00\u90e8\u5206\uff09\uff0c\u4e26\u4e14\u5229\u7528\u4e86\u8edf\u9ad4\u6216\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u7684\u6f0f\u6d1e \u2013 \u4f8b\u5982\u6c92\u6709\u6b63\u78ba\u5730\u904e\u6ffe\u4f7f\u7528\u8005\u8f38\u5165\u3002\u6bd4\u65b9\u8aaa\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u5c07\u60e1\u610f\u8f38\u5165\u8b8a\u6210SQL\u67e5\u8a62\u7684\u53c3\u6578\uff0c\u8b93\u8cc7\u6599\u5eab\u8a8d\u70ba\u662fSQL\u6307\u4ee4\u7684\u4e00\u90e8\u5206\u800c\u57f7\u884c\u3002<\/p>\n

    SQLi\u653b\u64ca\u6210\u529f\u53ef\u4ee5\u8b93\u99ed\u5ba2\u507d\u88dd\u6210\u76ee\u6a19\u8eab\u4efd\u4e26\u53d6\u5f97\u8cc7\u6599\u5eab\u4f3a\u670d\u5668\u7684\u7ba1\u7406\u6b0a\u9650\u3002\u99ed\u5ba2\u63a5\u8457\u53ef\u4ee5\u4fee\u6539\u73fe\u6709\u8cc7\u6599\uff08\u5982\u53d6\u6d88\u4ea4\u6613\uff09\uff0c\u53d6\u51fa\u7cfb\u7d71\u5167\u7684\u8cc7\u6599\uff0c\u7834\u58de\u3001\u8986\u84cb\u6216\u522a\u9664\u8cc7\u6599\uff0c\u751a\u81f3\u4f7f\u5176\u7121\u6cd5\u9023\u7dda\u3002\u5c0d\u65bc\u6703\u7528\u5982\u4f55\u5165\u4fb5\u7db2\u8def\u4f86\u5a01\u8105<\/a>\u4f01\u696d\u4ed8\u596c\u91d1\u7684\u6f0f\u6d1e\u7375\u4eba<\/a>\u4ee5\u53ca\u6703\u522a\u9664<\/a>\u7db2\u7ad9\u5167\u5bb9\u4e26\u5c07\u5176\u6d3b\u52d5\u507d\u88dd\u6210\u52d2\u7d22\u75c5\u6bd2<\/a>\u7684\u58de\u4eba\u4f86\u8aaa\uff0c\u9019\u4e00\u76f4\u662f\u500b\u9996\u9078\u6280\u8853\u3002SQLi\u9084\u88ab\u7528\u4f86\u7ac4\u6539<\/a>\u7db2\u7ad9\u4ee5\u53ca\u516c\u958b<\/a>\u5132\u5b58\u5728\u8cc7\u6599\u5eab\u5167\u7684\u500b\u4eba\u8b58\u5225\u8cc7\u6599\u3001\u5e33\u5bc6\u548c\u654f\u611f\u516c\u53f8\u8cc7\u6599<\/a>\u3002<\/p>\n

     <\/p>\n

      \n
    1. \u547d\u4ee4\u6ce8\u5165\uff08Command Injection<\/em><\/strong>\uff09<\/em><\/strong><\/li>\n<\/ol>\n

      \u4e0d\u540c\u65bcSQLi\u653b\u64ca\u91dd\u5c0d\u8cc7\u6599\u5eab\u76f8\u95dc\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\/\u670d\u52d9\uff0c\u547d\u4ee4\u6ce8\u5165\u8b93\u653b\u64ca\u8005\u63d2\u5165\u60e1\u610fshell\u547d\u4ee4\u5230\u7db2\u7ad9\u4e3b\u6a5f\u4f5c\u696d\u7cfb\u7d71\u3002\u50cf\u662f\u53ef\u4ee5\u627e\u51fa\u61c9\u7528\u7a0b\u5f0f\u5b89\u88dd\u7684\u76ee\u9304\u4e26\u5728\u90a3\u57f7\u884c\u60e1\u610f\u8173\u672c\u3002\u547d\u4ee4\u6ce8\u5165\u8b93\u99ed\u5ba2\u53ef\u4ee5\u5229\u7528\u6709\u6f0f\u6d1e\u7684\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u4f86\u57f7\u884c\u4efb\u610f\u547d\u4ee4 \u2013 \u4f8b\u5982\u7576\u61c9\u7528\u7a0b\u5f0f\u5c07\u8868\u55ae\u3001HTTP\u6a19\u982d\u548ccookie\u5167\u7684\u60e1\u610f\u5167\u5bb9\u5e36\u5230\u7cfb\u7d71shell\u6642\u3002\u6b64\u985e\u653b\u64ca\u5c31\u6703\u7528\u9019\u4e0d\u5b89\u5168\u61c9\u7528\u7a0b\u5f0f\u7684\u6b0a\u9650\u57f7\u884c\u3002<\/p>\n

      \u7c21\u800c\u8a00\u4e4b\uff0c\u7576\u60e1\u610f\u8f38\u5165\u88ab\u8aa4\u8a8d\u70ba\u4f5c\u696d\u7cfb\u7d71\u547d\u4ee4\u6642\u5c31\u6703\u767c\u751f\u547d\u4ee4\u6ce8\u5165\uff0c\u8b93\u58de\u4eba\u53ef\u4ee5\u53d6\u5f97\u6a94\u6848\u6216\u7db2\u9801\u4f3a\u670d\u5668\u7684\u63a7\u5236\u30022014<\/a>\u5e74\u7684Shellshock\u653b\u64ca\u5c31\u662f\u4e00\u4f8b<\/a>\uff1a\u5b83\u5011\u8b93\u653b\u64ca\u8005\u53ef\u4ee5\u4fee\u6539\u7db2\u9801\u4f3a\u670d\u5668\u5167\u5bb9\u3001\u8b8a\u66f4\u7db2\u7ad9\u4ee3\u78bc\u3001\u7aca\u53d6\u6216\u5916\u6d29\u8cc7\u6599\u3001\u8b8a\u66f4\u6b0a\u9650\u4ee5\u53ca\u5b89\u88dd\u5f8c\u9580\u7b49\u60e1\u610f\u8edf\u9ad4\u3002\u96fb\u5b50\u90f5\u4ef6\u5bc4\u9001\u7a0b\u5f0f\u5eab\u7684\u7db2\u7ad9\u5143\u4ef6\u51fa\u73fe\u6f0f\u6d1e\u6642\u4e5f\u90fd\u6703\u6210\u70ba\u982d\u689d<\/a>\uff0c\u4f8b\u5982\u806f\u7d61\u4eba\u3001\u8a3b\u518a\u53ca\u5bc6\u78bc\u91cd\u8a2d\u90f5\u4ef6\u8868\u55ae\u3002<\/p>\n

       <\/p>\n

        \n
      1. XML<\/em><\/strong>\u5916\u90e8\u5be6\u9ad4\u6ce8\u5165\uff08XML External Entity Injection, XXE<\/em><\/strong>\uff09<\/em><\/strong><\/li>\n<\/ol>\n

        \u9019\u985e\u653b\u64ca\u4e0d\u50cfSQLi\u6216\u8de8\u7ad9\u8173\u672c<\/a>\u90a3\u6a23\u5e38\u51fa\u73fe\uff0c\u4f46XML\u5916\u90e8\u5be6\u9ad4\u6ce8\u5165\uff08XXE\uff09\u6700\u8fd1\u4e5f\u7372\u5f97\u4e86\u95dc\u6ce8<\/a>\u3002XML\uff08\u53ef\u5ef6\u4f38\u6a19\u8a18\u5f0f\u8a9e\u8a00\uff09\u652f\u63f4\u5916\u90e8\u5be6\u9ad4\u3002\u53ef\u4ee5\u7528\u4f86\u5f15\u7528\u6216\u8abf\u7528\u4e3b\u6a94\u6848\u5916\u7684\u8cc7\u6599\u5230XML\u6587\u4ef6\u3002XXE\u6703\u653b\u64ca\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u89e3\u6790\u672a\u77e5\u6216\u53ef\u7591\u4f86\u6e90XML\u8f38\u5165\u6642\u7684\u6f0f\u6d1e\u3002\u5c07\u60e1\u610f\u5167\u5bb9\u6ce8\u5165\u5c07\u4f7f\u7528\u8005\u6216\u5ba2\u6236\u8cc7\u6599\u8f38\u5165\u61c9\u7528\u7a0b\u5f0f\u7684\u6587\u4ef6\uff08\u5982XML\u6a94\u6848\uff09\u3002<\/p>\n

        XXE\u653b\u64ca\u6210\u529f\u53ef\u4ee5\u8b93\u99ed\u5ba2\u5b58\u53d6\u5167\u90e8\u7db2\u8def\u6216\u670d\u52d9\u3001\u8b80\u53d6\u5b58\u653e\u5728\u4f3a\u670d\u5668\u4e0a\u7684\u7cfb\u7d71\u6a94\u6848\u4ee5\u53ca\u6383\u63cf\u5167\u90e8\u7aef\u53e3\u3002\u5728\u67d0\u4e9b\u72c0\u6cc1\u4e0b\uff0cXXE\u53ef\u4ee5\u8b93\u653b\u64ca\u8005\u57f7\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\uff08\u6bd4\u65b9\u8aaa\u900f\u904e\u8f09\u5165\u60e1\u610f\u53ef\u57f7\u884cPHP\u7a0b\u5f0f\u78bc\uff09\u3002\u9019\u4e9b\u90fd\u53d6\u6c7a\u65bc\u89e3\u6790\u5668\u7684\u6b0a\u9650\u3002<\/p>\n

        XXE\u88ab\u7528\u4f86<\/a>\u6210\u529f\u5730\u5728Facebook\u57f7\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\uff0c\u7531\u6b64\u6210\u70ba\u6700\u9ad8\u7684bug\u734e\u91d1<\/a>\u4e4b\u4e00\u3002XXE\u6f0f\u6d1e\u6700\u8fd1\u4e5f\u51fa\u73fe\u5728\u7d93\u5e38\u7528\u65bc<\/a>Mac\u61c9\u7528\u7a0b\u5f0f\u7684\u66f4\u65b0\u6846\u67b6\u3001Adobe ColdFusion\u7684XML\u89e3\u6790\u5668<\/a>\uff08CVE-2016-4264<\/a>\uff09\u3001Google\u641c\u5c0b\u5f15\u64ce\u7684\u4e00\u500b\u529f\u80fd\u4ee5\u53caMagento\u4f7f\u7528<\/a>\u7684PHP\u5de5\u5177\u5305\uff08Zend\uff09\u3002<\/p>\n

        <\/p>\n

          \n
        1. \u8de8\u7ad9\u8173\u672c\uff08Cross Site Scripting, XSS<\/em><\/strong>\uff09<\/em><\/strong><\/li>\n<\/ol>\n

          \u5229\u7528\u8de8\u7ad9\u8173\u672c<\/a>\uff08XSS\uff09\u6f0f\u6d1e\u8b93\u58de\u4eba\u53ef\u4ee5\u5c07\u60e1\u610f\u8173\u672c\u6ce8\u5165\u4f7f\u7528\u8005\u7684\u700f\u89bd\u5668\u3002OWASP\u7684\u6700\u65b0\u8cc7\u6599\u8868\u793a<\/a>XSS\u662f\u6700\u5927\u7684\u5b89\u5168\u98a8\u96aa\uff0c\u5e38\u88ab\u7528\u4f86\u9032\u884c\u7db2\u9801\u7ac4\u6539\uff08defacement\uff09\u548c\u81ea\u52d5\u5316\u7db2\u8def\u653b\u64ca\u3002<\/p>\n

          XSS\u653b\u64ca\u6709\u8a31\u591a\u7a2e\uff0c\u53d6\u6c7a\u65bc\u7a0b\u5f0f\u78bc\u6ce8\u5165\u65b9\u5f0f\u53ca\u653b\u64ca\u8005\u7684\u52d5\u6a5f\u3002XSS\u653b\u64ca\u6703\u51fa\u73fe\u5728\u8655\u7406\u4f7f\u7528\u8005\u8f38\u5165\u7684\u7db2\u9801\uff0c\u5982\u8cc7\u6599\u5eab\u3001\u767b\u5165\u548c\u641c\u5c0b\u8868\u55ae\u3001\u8a55\u8ad6\u529f\u80fd\u548c\u7559\u8a00\u677f\/\u8ad6\u58c7 \u2013 Stored XSS\u3002\u932f\u8aa4\u548c\u641c\u5c0b\u7d50\u679c\u9801\u9762\uff08\u5c07\u8f38\u5165\u4f5c\u70ba\u8acb\u6c42\u7684\u4e00\u90e8\u5206\u9001\u7d66\u4f3a\u670d\u5668\uff09\u4e5f\u53ef\u80fd\u88ab\u7528\u4f86\u50b3\u9001\u653b\u64ca\u8005\u6ce8\u5165\u7684\u60e1\u610f\u8173\u672c \u2013 Reflected XSS\u3002\u653b\u64ca\u8005\u9084\u53ef\u4ee5\u4fee\u6539\u53d7\u5bb3\u8005\u700f\u89bd\u5668\u5167\u7684\u6587\u4ef6\u7269\u4ef6\u6a21\u578b\uff08Document Object Model, DOM\uff09\u4f86\u57f7\u884c\u60e1\u610f\u884c\u70ba \u2013 DOM-based XSS\u3002<\/p>\n

          \u9020\u6210\u7684\u5f71\u97ff\u5f9e\u9a37\u64fe\u5230\u91cd\u5927\u8cc7\u5b89\u98a8\u96aa \u2013 \u9020\u6210\u4e0d\u7576\u7db2\u7ad9\u5167\u5bb9\u3001\u7aca\u53d6\u6216\u8b8a\u52d5session\u548c\u6388\u6b0acookie\u3001\u7522\u751f\u6703\u88ab\u8aa4\u8a8d\u70ba\u6709\u6548\u7684\u8acb\u6c42\u3001\u5c07\u4f7f\u7528\u8005\u8f49\u5411\u60e1\u610f\u7db2\u7ad9\u3001\u52ab\u6301\u53d7\u5bb3\u8005\u5e33\u865f\u3001\u9020\u6210\u7db2\u7ad9\u505c\u64fa\u6216\u5c07\u60e1\u610f\u8edf\u9ad4\u9001\u9032\u7cfb\u7d71\u3002\u5c0dYahoo!<\/a>\u3001Wordpress\uff08\u5229\u7528\u6709\u6f0f\u6d1e\u7684\u5916\u639b\u7a0b\u5f0f<\/a>\uff09\u3001\u4f86\u81eaGoogle Docs\u548cGoogle Developers\u7684\u7db2\u7ad9\/\u7db2\u57df<\/a>\uff08\u900f\u904eCaja\u5de5\u5177\u5305\u5167\u7684\u6f0f\u6d1e<\/a>\uff09\u4ee5\u53ca\u96fb\u5b50\u5546\u52d9\u548c\u7db2\u9801\u958b\u767c\u5e73\u53f0Magento<\/a>\u548cWix<\/a>\u7684\u653b\u64ca\u662f2016\u5e74\u6709\u95dc\u8de8\u7ad9\u8173\u672c\u653b\u64ca\u7684\u77e5\u540d\u4e8b\u4ef6\u3002<\/p>\n

           <\/p>\n

          \u5b89\u5168\u5c0d\u7b56<\/strong><\/h3>\n

          \u8207\u5927\u591a\u6578\u4e8b\u60c5\u4e00\u6a23\uff0c\u9810\u9632\u52dd\u904e\u6cbb\u7642\u3002\u4ee5\u4e0b\u662fIT\u5c08\u696d\u4eba\u54e1\u53ca\u7db2\u9801\u958b\u767c\u8005\/\u7a0b\u5f0f\u8a2d\u8a08\u5e2b\u53ef\u4ee5\u63a1\u53d6\u7684\u4e00\u4e9b\u5c0d\u7b56\uff0c\u4ee5\u7de9\u89e3\uff08\u5982\u679c\u4e0d\u662f\u963b\u6b62\uff09\u9019\u4e9b\u653b\u64ca\uff1a<\/p>\n

          \u5225\u76f8\u4fe1\u4efb\u4f55\u4eba\u3002<\/em><\/strong>\u7db2\u9801\u958b\u767c\u8005\u5fc5\u9808\u5047\u8a2d\u6240\u6709\u7684\u4f7f\u7528\u8005\u8f38\u5165\u90fd\u662f\u60e1\u610f\u7684\uff0c\u5fc5\u9808\u52a0\u4ee5\u9a57\u8b49\u548c\u6d88\u6bd2\u3002\u767d\u540d\u55ae\uff08\u62d2\u7d55\u767d\u540d\u55ae\u4ee5\u5916\u7684\u4efb\u4f55\u8f38\u5165\uff09\u662f\u5b89\u5168\u8655\u7406\u8f38\u5165\u7684\u65b9\u6cd5\u4e4b\u4e00\u3002\u5728\u958b\u767c\u7db2\u7ad9\u548c\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u6642\uff0c\u8acb\u8003\u616e\u51fa\u73fe\u8f38\u5165\u554f\u984c\u6642\u8981\u7d42\u6b62\u57f7\u884c\uff08\u4f8b\u5982\u4f7f\u7528\u975e\u9810\u671f\u5b57\u5143\uff09\uff0c\u4e26\u4e14\u8981\u904e\u6ffe\u548c\u7de8\u78bc\u8f38\u5165\u4f86\u78ba\u4fdd\u90fd\u7d93\u904e\u6aa2\u67e5\u3002\u6709\u4e9b\u7a0b\u5f0f\u8a9e\u8a00\u5177\u6709\u6c61\u9ede\u6aa2\u9a57\uff08taint-checking\uff09\u529f\u80fd\uff0c\u53ef\u4ee5\u6aa2\u67e5\u548c\u9632\u6b62\u7528\u4f86\u57f7\u884c\u60e1\u610f\u547d\u4ee4\u7684\u8f38\u5165\u3002\u5982\u4f55\u8655\u7406\u8f38\u51fa\u4e5f\u5fc5\u9808\u9a57\u8b49\u3002\u7db2\u9801\u958b\u767c\u8005\u61c9\u8a72\u7528\u66ff\u4ee3\u5b57\u5143\u4f86\u7de8\u78bc\u8f38\u51fa\uff0c\u9019\u6a23\u53ef\u4ee5\u6d88\u6bd2\u5b57\u5143\u4e26\u9632\u6b62\u88ab\u610f\u5916\u5730\u57f7\u884c\u3002<\/p>\n

          \u59cb\u65bc\u5b89\u5168\u7684\u8a2d\u8a08\u3002<\/em><\/strong>\u7db2\u9801\u958b\u767c\u8005\u5fc5\u9808\u5728\u6574\u500b\u958b\u767c\u9031\u671f\u63a1\u7528\u5b89\u5168\u958b\u767c\u5be6\u4f5c\u4ee5\u7dad\u8b77\u6703\u88ab\u5176\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\/\u9801\u9762\u8655\u7406\u8cc7\u6599\u7684\u96b1\u79c1\u6027\u3001\u5b8c\u6574\u6027\u548c\u53ef\u5b58\u53d6\u6027\u3002\u6bd4\u65b9\u8aaa\uff0c\u5728\u5c64\u758a\u6a23\u5f0f\u8868\uff08CSS\uff09\u5c6c\u6027\u3001HTML\u5c6c\u6027\u548cXML\u89e3\u6790\u5668\u5167\u56b4\u683c\u9a57\u8b49\u4e0d\u53d7\u4fe1\u4efb\u7684\u8cc7\u6599\uff08\u540c\u6642\u4fdd\u7559\u7db2\u7ad9\/\u61c9\u7528\u7a0b\u5f0f\u5916\u89c0\uff09\u662f\u9632\u79a6\u5165\u4fb5\u7684\u5fc5\u8981\u689d\u4ef6\u3002<\/p>\n

          \u4fdd\u6301\u8207\u6642\u4e26\u9032\u3002<\/em><\/strong>IT\u5c08\u5bb6\u5fc5\u9808\u5b9a\u671f\u9032\u884c\u66f4\u65b0\u53ca\u5b89\u88dd\u4fee\u88dc\u7a0b\u5f0f\u4ee5\u9632\u6b62\u7cfb\u7d71\u53ca\u8edf\u9ad4\u7684\u5b89\u5168\u6f0f\u6d1e\u88ab\u5229\u7528\u3002\u958b\u767c\u4eba\u54e1\u4e5f\u5fc5\u9808\u8981\u4e86\u89e3\u6700\u4f73\u958b\u767c\u5be6\u4f5c\u3002\u540c\u6642\u516c\u53f8\u5167\u90e8\u4e5f\u9700\u8981\u63d0\u4f9b\u8cc7\u5b89\u6559\u80b2\u8a13\u7df4\u548c\u7a3d\u67e5\u3002<\/p>\n

          \u5225\u8b93\u4e8b\u60c5\u8907\u96dc\u5316\u3002<\/em><\/strong>\u958b\u767c\u4eba\u54e1\u61c9\u76e1\u53ef\u80fd\u907f\u514d\u4f7f\u7528\u6613\u906d\u53d7\u653b\u64ca\u7684\u5de5\u5177\u548c\u958b\u767c\u6280\u8853\u3002\u50cf\u662f\u4f7f\u7528\u6e96\u5099\u597d\u5e36\u53c3\u6578\u7684\u8a9e\u6cd5\u6216\u67e5\u8a62\u53ca\u9810\u5b58\u7a0b\u5e8f\uff08Stored Procedure\uff09\u800c\u975e\u52d5\u614bSQL\u3002\u505c\u7528\u5916\u90e8\u5be6\u9ad4\u89e3\u6790\u4e5f\u6709\u52a9\u65bc\u7de9\u89e3\u57fa\u65bcXXE\u7684\u963b\u65b7\u670d\u52d9\u653b\u64ca\u3002<\/p>\n

          \u63a1\u53d6\u7e31\u6df1\u9632\u79a6\u8207\u591a\u5c64\u6b21\u9632\u79a6\u6a5f\u5236\u3002<\/strong>IT\u5c08\u5bb6\u61c9\u8a72\u8981\u7db2\u8def\u5167\u51fa\u73fe\u7684\u60e1\u610f\u548c\u53ef\u7591\u8cc7\u6599\u53ca\u6d41\u91cf\u3002\u6aa2\u67e5\u7db2\u7ad9\u6216\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u5167\u7684\u9023\u7dda\u4ee5\u53ca\u8acb\u6c42\u548c\u56de\u61c9\uff08\u5982HTTP\u3001HTTPS\u3001SOAP\u548cXML\u9060\u7aef\u7a0b\u5e8f\u547c\u53eb\u7b49\uff09\u3002\u6bd4\u65b9\u8aaa\u6aa2\u67e5\u53ef\u80fd\u986f\u793a\u51fa\u73feXSS\u653b\u64ca\u7684\u7a0b\u5f0f\u78bc\u3002\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u9632\u706b\u7246\uff08WAF\uff09\u53ef\u4ee5\u5e6b\u5f97\u4e0a\u5fd9\uff1bWAF\u9084\u5177\u5099\u80fd\u5920\u4ed4\u7d30\u6aa2\u67e5\u8a0a\u606f\u8173\u672c\uff08\u5982JavaScript\uff09\u7684\u904e\u6ffe\u5668\uff0c\u4e26\u4e14\u63d0\u4f9b\u4e00\u4e9b\u6f0f\u6d1e\u653b\u64ca\u7684\u9632\u8b77\u3002\u958b\u767c\u4eba\u54e1\u53ef\u4ee5\u8003\u616e\u63a1\u53d6\u7e31\u6df1\u9632\u79a6\uff08\u57ce\u5821\u65b9\u5f0f\uff09\u7684\u5b89\u5168\u7b56\u7565\uff1a\u5728\u7db2\u7ad9\u6216\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u5167\u63a1\u53d6\u591a\u5c64\u6b21\u9632\u79a6\u6a5f\u5236\u4ee5\u6e1b\u5c11\u88ab\u653b\u64ca\u6210\u529f\u7684\u53ef\u80fd\u6027\u3002<\/p>\n

          \u6e1b\u5c11\u66b4\u9732\u81ea\u5df1\u3002<\/em><\/strong>\u958b\u767c\u4eba\u54e1\u61c9\u8a72\u505c\u7528\u7db2\u7ad9\u3001\u8cc7\u6599\u5eab\u6216\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u4e0d\u5fc5\u8981\u7684\u5143\u4ef6\u3002\u9019\u6709\u6642\u6703\u589e\u52a0\u53d7\u653b\u64ca\u9762\u3002\u50cf\u662f\u53ef\u4ee5\u63d0\u5347\u6b0a\u9650\u548c\u7522\u751f\u547d\u4ee4shell\u7684\u529f\u80fd\u5c0d\u60f3\u8981\u52ab\u6301SQL\u4f3a\u670d\u5668\u5e33\u865f\u7684\u99ed\u5ba2\u4f86\u8aaa\u5f88\u6709\u7528\u3002\u900f\u904e\u6587\u4ef6\u578b\u5225\u5b9a\u7fa9\uff08Data Type Definition, DTD\uff09\u9632\u6b62\u4f7f\u7528\u5be6\u9ad4\u5ba3\u544a\u7684\u6587\u4ef6\u4e0a\u8f09\u53ef\u4ee5\u964d\u4f4e\u61c9\u7528\u7a0b\u5f0f\u906d\u53d7XXE\u653b\u64ca\u7684\u98a8\u96aa\u3002\u4f7f\u7528API\u53ef\u4ee5\u5728\u7cfb\u7d71\u547d\u4ee4\u88ab\u547c\u53eb\u524d\u5e6b\u52a9\u5206\u96e2\u547d\u4ee4\u548c\u53c3\u6578\u3002\u5efa\u8b70IT\u5c08\u5bb6\u505c\u7528\u4e0d\u5fc5\u8981\u6216\u672a\u4f7f\u7528\u7684\u7aef\u53e3\uff08\u4f8b\u5982\u50c5\u6253\u958b\u9762\u5411\u5916\u90e8\u7db2\u8def\u7684HTTP\/HTTPS\u7aef\u53e3\uff09\u4ee5\u963b\u6b62\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u5354\u5b9a\u76f8\u95dc\u7684\u7db2\u8def\u653b\u64ca\u548c\u60e1\u610f\u4f7f\u7528\u3002\u958b\u767c\u4eba\u54e1\u5728\u5efa\u7acb\/\u958b\u767c\u7db2\u7ad9\u548c\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u6642\u4e5f\u540c\u6a23\u5730\u5fc5\u9808\u60f3\u5230\u9019\u4e9b\u3002<\/p>\n

          \u4fdd\u5b88\u81ea\u5df1\u7684\u79d8\u5bc6\u3002<\/em><\/strong> IT\u5c08\u5bb6\u61c9\u8a72\u8981\u5be6\u65bd\u6b0a\u9650\u7ba1\u7406\u653f\u7b56\u4f86\u6e1b\u5c11\u9700\u8981\u7ba1\u7406\u6b0a\u9650\u4f86\u5b58\u53d6\u7cfb\u7d71\/\u96fb\u8166\u7684\u653b\u64ca\u3002\u958b\u767c\u4eba\u54e1\u4e5f\u540c\u6a23\u5730\u80fd\u5920\u900f\u904e\u9650\u5236\u7db2\u7ad9\/\u61c9\u7528\u7a0b\u5f0f\u7684\u4f7f\u7528\u8005\u6b0a\u9650\u4ee5\u53ca\u52a0\u5bc6\u6216\u96dc\u6e4a\u5316\u5e33\u5bc6\u548c\u5176\u4ed6\u654f\u611f\u8cc7\u6599\uff08\u5982\u9023\u7dda\u5b57\u4e32\uff09\u505a\u5230\u4e00\u6a23\u7684\u4e8b\u60c5\u3002\u5bb3\u4eba\u53ef\u4ee5\u901a\u904e\u932f\u8aa4\u9801\u9762\u4f86\u53d6\u5f97\u8a31\u591a\u95dc\u65bc\u8cc7\u6599\u5eab\u67b6\u69cb\u7684\u8cc7\u8a0a\u3002\u958b\u767c\u4eba\u54e1\u53ef\u4ee5\u5728\u5916\u90e8\u932f\u8aa4\u9801\u9762\u53ea\u5448\u73fe\u6700\u5c11\u8cc7\u8a0a\u4f86\u89e3\u6c7a\u6b64\u554f\u984c\uff0c\u78ba\u4fdd\u653b\u64ca\u8005\u53ea\u770b\u5230\u672a\u8655\u7406\u7684\u932f\u8aa4\u8a0a\u606f\u3002<\/p>\n

          \u518d\u4e09\u6aa2\u67e5\u3002<\/em><\/strong>\u958b\u767c\u4eba\u54e1\u8207IT\u5c08\u5bb6\u5728\u90e8\u7f72\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\/\u7db2\u7ad9\u524d\u8981\u5148\u6e2c\u8a66\u662f\u5426\u6709\u6f0f\u6d1e\u3002\u5c0d\u4f7f\u7528\u8cc7\u6599\u5eab\u7684\u61c9\u7528\u7a0b\u5f0f\/\u670d\u52d9\u548c\u7db2\u7ad9\u5b9a\u671f\u9032\u884c\u6ef2\u900f\u6e2c\u8a66\u6709\u52a9\u65bc\u627e\u51fa\u5176\u4ed6\u63aa\u65bd\u6c92\u6709\u9632\u79a6\u5230\u7684\u5b89\u5168\u6f0f\u6d1e\u3002\u5728\u6aa2\u67e5\u904e\u7a0b\u4e2d\u6301\u7e8c\u76e3\u63a7\u7db2\u7ad9\u3001\u8edf\u9ad4\u6216\u8cc7\u6599\u5eab\u57fa\u790e\u67b6\u69cb\u4f86\u627e\u51fa\u53ef\u80fd\u88ab\u5ffd\u7565\u7684\u5b89\u5168\u6f0f\u6d1e\u6216\u98a8\u96aa\u7684\u76f8\u95dc\u8cc7\u8a0a\u3002<\/p>\n

          \u88dc\u4e0a\u6f0f\u6d1e\uff08\u4e26\u767c\u51fa\u8b66\u5831\uff09\u3002<\/em><\/strong>\u4e8b\u4ef6\u56de\u61c9\u610f\u5473\u8457\u5fc5\u9808\u4e3b\u52d5\u9032\u884c\u56de\u5fa9\u5de5\u4f5c\u3002\u9451\u8b58\u548c\u65e5\u8a8c\u5206\u6790\u5de5\u5177\u53ef\u4ee5\u5354\u52a9\u7cfb\u7d71\u7ba1\u7406\u54e1\u548cIT\u5c08\u5bb6\u627e\u51fa\u99ed\u5ba2\u7684\u9032\u5165\u9ede\uff0c\u7136\u5f8c\u627e\u5230\u958b\u767c\u4eba\u54e1\u53ef\u4ee5\u4fee\u88dc\u7684\u6f0f\u6d1e\u6216\u6709\u6f0f\u6d1e\u7684\u7d44\u4ef6\u3002\u9019\u5305\u542b\u53ef\u4ee5\u53d6\u5f97\u786c\u789f\u8cc7\u6599\u548c\u6620\u50cf\u6a94\uff0c\u6aa2\u67e5\u548c\u5206\u6790\u6a94\u6848\u3001\u8a3b\u518a\u8868\u3001\u96fb\u5b50\u90f5\u4ef6\u3001\u8a18\u61b6\u9ad4\u3001\u7db2\u9801\u548c\u7db2\u8def\u6d41\u91cf\u7684\u5de5\u5177\u3002\u662f\u5426\u6709\u4efb\u4f55\u8cc7\u6599\u88ab\u5916\u6d29\u6216\u88ab\u7aca\uff1f\u653b\u64ca\u662f\u5426\u8b8a\u52d5\u4e86\u7db2\u7ad9\u6216\u4f3a\u670d\u5668\u4e0a\u7684\u8cc7\u6599\uff1f\u4e86\u89e3\u7d44\u7e54\u7684\u98a8\u96aa\u72c0\u6cc1\u4e5f\u80fd\u5920\u7c21\u5316\u5206\u6790\u3002\u4e0d\u8981\u5fd8\u8a18\u9a57\u8b49\u4e26\u901a\u77e5\u76f8\u95dc\u4eba\u54e1\u3002<\/p>\n

           <\/p>\n

          \u8da8\u52e2\u79d1\u6280\u89e3\u6c7a\u65b9\u6848<\/strong><\/h3>\n

          \u8da8\u52e2\u79d1\u6280Deep Discovery\u9032\u968e\u7db2\u8def\u5b89\u5168\u9632\u8b77<\/a> <\/u>\u548cVulnerability Protection <\/u>\u6f0f\u6d1e\u9632\u8b77<\/u>\u63d0\u4f9b\u865b\u64ec\u4fee\u88dc<\/a>\u6280\u8853\uff0c\u53ef\u4ee5\u4fdd\u8b77\u7aef\u9ede\u514d\u65bc\u6f0f\u6d1e\u653b\u64ca\u5a01\u8105\u3002\u5373\u4f7f\u5728\u90e8\u7f72\u4fee\u88dc\u7a0b\u5f0f\u4e4b\u524d\uff0c\u8da8\u52e2\u79d1\u6280OfficeScan<\/a>\u7684Vulnerability Protection\u4e5f\u53ef\u4ee5\u4fdd\u8b77\u7aef\u9ede\u514d\u65bc\u5df2\u77e5\u548c\u672a\u77e5\u7684\u6f0f\u6d1e\u653b\u64ca\u3002\u8da8\u52e2\u79d1\u6280\u7684Deep Discovery\u9032\u968e\u7db2\u8def\u5b89\u5168\u9632\u8b77<\/a><\/u> \u900f\u904e\u7279\u88fd\u5f15\u64ce\u3001\u5ba2\u88fd\u5316\u6c99\u7bb1<\/a>\u548c\u6a6b\u8de8\u6574\u500b\u653b\u64ca\u751f\u547d\u9031\u671f\u7684\u7121\u7e2b\u95dc\u806f\u6280\u8853\u4f86\u5c0d\u6f0f\u6d1e\u653b\u64ca\u9032\u884c\u5075\u6e2c\u3001\u6df1\u5165\u5206\u6790\u548c\u4e3b\u52d5\u56de\u61c9\uff0c\u5f9e\u800c\u53ef\u4ee5\u7121\u9700\u66f4\u65b0\u5f15\u64ce\u548c\u7279\u5fb5\u78bc\u5c31\u80fd\u5920\u5075\u6e2c\u50cf\u7db2\u9801\u6ce8\u5165\uff08Web Injection\uff09\u9019\u4e9b\u653b\u64ca\u3002<\/p>\n

           <\/p>\n

           <\/p>\n

          @\u539f\u6587\u51fa\u8655\uff1aInfoSec Guide: \u7db2\u9801 Injections<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

          \u7db2\u9801\u6ce8\u5165\uff08Web Injection\uff09\u662f\u6bcf\u4f4d\u7a0b\u5f0f\u8a2d\u8a08\u5e2b\u3001\u958b\u767c\u8005\u548c\u8cc7\u8a0a\u5b89\u5168\uff08InfoSec\uff09\u5c08\u5bb6\u6240\u982d\u75bc\u7684\u554f\u984c\uff0c\u4e5f […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[1268],"tags":[4055,4056],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/57572"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=57572"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/57572\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=57572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=57572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=57572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}