The database is the heart of most Web applications: it stores the data needed for the Websites and applications to "survive". It stores user credentials and sensitive financial information. It stores preferences, invoices, payments, inventory data, etc. It is through the combination of a database and Web scripting language that we as developers can produce sites that keep clients happy, pay the bills, and -- most importantly -- run our businesses.

But what happens when you realize that your critical data may not be safe? What happens when you realize that a new security bug has just been found? Most likely you either patch it or upgrade your database server to a later, bug-free version. Security flaws and patches are found all the time in both databases and programming languages, but I bet 9 out of 10 of you have never heard of SQL injection attacks...

Azr431 發表在 痞客邦 留言(2) 人氣()

Sql Injection Paper

By zeroday.

Azr431 發表在 痞客邦 留言(0) 人氣()

http://www.divshare.com/download/2065779-9ca


Azr431 發表在 痞客邦 留言(0) 人氣()

以前寫了十天學會ASP,十天學會ASP.NET什麼的,現在想想再寫個PHP吧,也算比較全了。 PHP的調試方法我這裏就不說了,外面很多文章都有介紹,也有很多不同的組合。我這裏暫時是以 Apache web server 和 MY SQL 作為WEB伺服器和資料庫,在php-4.3.3下的環境做的程式。當然要簡單的構建和訪問查看資料庫 PHPMYADMIN 不可少。 至於表單設計什麼的,我這裏也不想多說了,在《十天學會ASP》中已經有介紹。 下面簡單介紹一下PHP的語法。 1、嵌入方法: 類似ASP的,PHP中也可以

邏輯運算:

Azr431 發表在 痞客邦 留言(0) 人氣()

#-------------------
#文章中的圖片沒有上傳,要看的可直接與我聯繫
#---------------------------

Azr431 發表在 痞客邦 留言(0) 人氣()

"Validate anything can be passed. Security lays in the inputs. " - zk


Azr431 發表在 痞客邦 留言(0) 人氣()

前言

  我的《SQL Injection with MySQL》(《駭客防線》7月的專題)已經對MySQL的注入有了比較全面的介紹了,但是有一個危害相當大的函數,我並沒有在文中提及,因為如果能靈活 應用這個函數,那PHP甚至伺服器的安全性均會大打折扣,由於《SQL Injection with MySQL》的發表時間是在暑假期間,考慮到很多新手、學生和品德敗壞的人亂用,所以我並沒有把這個寫在該文裏,其實本文在5月初已寫完。專題發表後,很 多人已經陸續轉到PHP+MYSQL注入的研究,很多新技術將會陸續挖掘出來,我們所掌握這方面未公開的高級技巧也會陸續公佈出來。至於比較基礎的東西, 本文就不再提了。

Azr431 發表在 痞客邦 留言(0) 人氣()

What is SQL Injection?
If you are designing a Web site, or already have an existing Web site, you may be worried about potential "attacks" from rogue users. Too often, Web site developers focus solely on the security issues of the chosen operating system and Web server the site will run on. While IIS security holes can allow for malicious attackers, IIS security is not the only item that should be on your security checklist. The code that is commonly written for data-driven Web sites is often as serious a hole as any IIS hole. Such a programming code hole that can be exploited has been dubbed the SQL injection attack.

Azr431 發表在 痞客邦 留言(0) 人氣()

1.判斷有無注入點
; and 1=1 and 1=2

Azr431 發表在 痞客邦 留言(0) 人氣()

Overview of common
web related vulnerabilities
DanBUK (dan@f-box.org)

Azr431 發表在 痞客邦 留言(0) 人氣()

Organizations need a Web application scanning solution that can scan for security loopholes in Web-based applications to prevent would-be hackers from gaining unauthorized access to corporate applications and data. Web applications are proving to be the weakest link in overall corporate security, even though companies have left no stone unturned in installing the better-known network security and anti-virus solutions. Quick to take advantage of this vulnerability, hackers have now begun to use Web applications as a platform for gaining access to corporate data.


Azr431 發表在 痞客邦 留言(0) 人氣()

PHP is a terrific language for the rapid development of dynamic Websites. It also has many features that are friendly to beginning programmers, such as the fact that it doesn't require variable declarations. However, many of these features can lead a programmer inadvertently to allow security holes to creep into a Web application. The popular security mailing lists teem with notes of flaws identified in PHP applications, but PHP can be as secure as any other language once you understand the basic types of flaws PHP applications tend to exhibit.

In this article, I'll detail many of the common PHP programming mistakes that can result in security holes. By showing you what not to do, and how each particular flaw can be exploited, I hope that you'll understand not just how to avoid these particular mistakes, but also why they result in security vulnerabilities. Understanding each possible flaw will help you avoid making the same mistakes in your PHP applications.

Azr431 發表在 痞客邦 留言(0) 人氣()

Michael Schramm posted about another way to do image filter bypassing using alternate file streams on NTFS file systems. Pretty cool stuff (thinking outside the box of what a file really means on different systems). Here’s his English translation:

It’s all about the alternate file streams (ads) in NTFS file system (it’s a “feature”), you probably have heard of them. With ads, it’s possible to insert additional data streams to a file beside of its basic contents. For example you could insert ads.txt into the file foobar.txt with “type ads.txt>foobar.txt:somedescriptor”. A User won’t recognize that there is additional data in this file (even if the ads contains several gigabytes), the file foobar.txt will still appear with its original size and contents in file system. But anyway, this is not really essential for understanding what I’ve found out, I think you can inform yourself about ads if you want.

Azr431 發表在 痞客邦 留言(0) 人氣()

Javaphile
SQL 盲注攻擊技術綜述
coolswallow of Javaphile (coolswallow@shaolin.org.cn)

Azr431 發表在 痞客邦 留言(0) 人氣()

Securing PHP ?Approaches to Web Application security
Stanislav Malyshev
stas@zend.com

Azr431 發表在 痞客邦 留言(0) 人氣()

1 2