Đây là bài viết khá cơ bản và đầy đủ cho các ứng dụng web php (apache).
Bạn nên đọc để biết các lỗi có thể bị khai thác, cách khai thác và từ đó đưa ra cách giải quyết cho mình.
Weaknesses in Web-Applications v1.7tác giả theblacksheep
Nội dung: (chi tiết bạn download file trên về đọc)
#- Introduction
#- General - Collecting Information
- Google
#- Viewing the Source of a Web Page
#- Editing of Source Code
#- JavaScript Inline Debugger
#- Directory Listing/Index Browsing
#- robots.txt
#- Reverse Directory Transversal
#- Information Storage In Files
#- Header Based Exploitation
#- X-Forwarded-For: IP-Spoofing
#- Mime Type Spoofing
#- CRLF-Injection
#- Global Variables
#- Remote Files
#- Library Files
#- Session Files
#- NULL Byte
#- SQL-Injection
#- Cross Site Scripting
#- Cross-Site Request Forgeries (CSRF)
#- Session Fixation
#- Loose Typing And Associative Arrays
#- Interesting PHP Functions
- ereg()
- file()
- file_get_contents()
- fopen()
- include()
- include_once()
- is_dir()
- is_file()
- phpinfo()
- readfile()
- require()
- require_once()
- touch()
- unlink()
#- PHP vulnerabilities
- copy (4.4.2, 5.1.2 and prior - Safe Mode Bypass)
- error_log (4.4.2 and prior, 5.1.4 and prior - Safe Mode Bypass)
- phpinfo (4.4.2, 5.1.2 and prior - Cross Site Scripting)
(4.4.0 and prior - Cross Site Scripting)
(4.4.0, 5.0.5 and prior - Cross Site Scripting)
#- Apache - Unknown Mime Type Trouble
#- Interesting Files
#- Useful Commands
#- HTTP Error Codes
#- Execution Of Shell Commands
#- Protecting PHP
#- Web bugs
#- Faking Cookies
#- Getting the source code of ".swf" Flash files
#- Getting the source code of ".class"/".jar" Java applet files
#- Passwords (guessing, brute force, dictionary attack)
#- Tools
- CGIProxy
- Proxomitron
#- Buffer Overflow
#- Format String
#- Heap Overflow
#- Integer Overflow
#- Other interesting tutorials you should read
#- Thx!
#- History