试图利用?
[英]Attempted exploit?
问题描述
I saw that my nopCommerce site had a logged search for: 
我看到我的nopCommerce网站有一个记录搜索:
ADw-script AD4-alert(202) ADw-/script AD4-
I'm a bit curious though what they were trying to accomplish. 虽然他们想要完成什么,但我有点好奇。 I searched a bit for it and appearently the ADw-script AD4- encodes in UTF7 to <script> . 我搜索了一下,显然ADw-script AD4-以UTF7编码为<script> 。 But why the alert(202) ? 但为什么alert(202) ?
Were they just checking for vulnerabilities? 他们只是检查漏洞吗?
More hacking attemps was logged and I made a new question about them here: Hacking attempt, what were they trying to do and how can I check if they succeeded? 记录了更多的黑客尝试,我在这里提出了一个关于他们的新问题: 黑客企图,他们试图做什么以及如何检查他们是否成功?
4 个解决方案
解决方案1
9 已采纳 2011-03-01 10:57:16
Someone is checking if you have a UTF-7 injection vulnerability to exploit it later. 有人正在检查您是否有UTF-7注入漏洞以便以后使用它。 UTF-7 uses only characters that are usually not considered harmful. UTF-7仅使用通常不被视为有害的字符。 Do you always use meta charset in your HTML? 你总是在HTML中使用meta charset吗?
Always use meta charset as high as possible in your HTML, like this: 始终在HTML中尽可能使用meta charset,如下所示:
<!doctype html>
<html lang="en-us">
<head>
<meta charset="utf-8">
...
and you won't have to worry about UTF-7 based XSS attacks. 而且您不必担心基于UTF-7的XSS攻击。
解决方案2
3 2011-03-01 10:51:28
Yup , they were just checking if your site is vulnerable for XSS. 是的,他们只是检查您的网站是否容易受到XSS攻击。
Read http://www.cgisecurity.com/xss-faq.html 阅读http://www.cgisecurity.com/xss-faq.html
and Rsnakes XSS cheat-sheet 和Rsnakes XSS备忘单
http://ha.ckers.org/xss.html http://ha.ckers.org/xss.html
for more info 了解更多信息
解决方案3
2 2011-03-01 10:50:01
Presumably seeing the alert(202) execute would allow the attacker to decide whether it was feasible to inject JS onto your page. 据推测,看到alert(202)执行将允许攻击者决定将JS注入您的页面是否可行。 In other words, yes, you were probably being probed. 换句话说,是的,你可能正在被探查。
解决方案4
0 2014-09-11 08:38:06
If you want to be safe from these types of Injections, you must specify a Content-Type. 如果您希望安全地使用这些类型的进样,则必须指定Content-Type。
Try to put the Content-Type in headers instead of meta tags if possible. 如果可能,尝试将Content-Type放入标题而不是元标记。 If you want to do it in php, you can do 如果你想在php中做,你可以做到
<?php
header('Content-Type: text/html;charset=utf-8');
at the top of your php application. 在你的PHP应用程序的顶部。 If for some reasons you can't do it, you can put it in your meta tags: 如果由于某些原因你不能这样做,你可以把它放在你的meta标签中:
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
....Rest of your page
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.