原文:http://hi.baidu.com/dream621/blog/item/7f60de82781b37b96d81196d.html
PHP代码
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- function pdf2png($PDF,$Path){
- if(!extension_loaded('imagick')){
- return false;
- }
- if(!file_exists($PDF)){
- return false;
- }
- $IM = new imagick();
- $IM->setResolution(120,120);
- $IM->setCompressionQuality(100);
- $IM->readImage($PDF);
- foreach ($IM as $Key => $Var){
- $Var->setImageFormat('png');
- $Filename = $Path.'/'.md5($Key.time()).'.png';
- if($Var->writeImage($Filename) == true){
- $Return[] = $Filename;
- }
- }
- return $Return;
- }
主要是思路不错就转发了
不说啥了,直接上原文:
两篇文章的地址分别为:http://rdc.taobao.com/blog/qa/?p=857
http://rdc.taobao.com/blog/qa/?p=882
什么是xss漏洞
XSS又叫CSS英文缩写为Cross Site Script
中文意思为跨站脚本攻击
具体内容指的是恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,
嵌入其中Web里面的html代码会被执行,从而达到恶意用户的特殊目的.
xss的漏洞危害
- 获取用户cookie
- 修改页面信息
- 浏览器劫持
- 与其他漏洞结合(如:csrf漏洞)
- 其他
xss漏洞实例演示
xss漏洞是如何产生的
以下Velocity模板VM中常见的代码
- <span>$!productName</span>
- <script>var from = ‘$!rundata.Parameters.getString(’from’)';</script>
对于第一种类型的代码我们可以输入变量为
<iframe src=http://hacker.com></iframe>
第一种类型的代码将变为
<span><iframe src=http://hacker.com></iframe></span>
对于第二种类型的代码我们可以输入变量为
‘;hackerFunction(document.cookie);’
第二种类型的代码将变为
<script>var from = ”;hackerFunction(document.cookie);”; </script>
以上两种类型的代码都轻易的被植入了恶意的脚本,也就是说产生了传说中的xss漏洞。
xss漏洞如何预防
1. 对于非富文本针对入参进行转义
可通过escapeHtml和JavaScript进行转义。
转义过后上面的代码将会变成
<span><iframe src&equalshttp&colon&sol&solhacker&periodcom><&soliframe></span>
转义后用户输入的恶意脚本代码就不会被执行从而达到了预防和修复的目的。
2. 对于富文本入参进行过滤
略。
总结
本篇简要介绍了什么是xss漏洞,xss漏洞在代码中是如何产生的,简单介绍了如何去预防和修复xss漏洞。
黑盒手动测试
对于非富文本在输入框中输入特殊字符 <”tiehua ‘> 提交
在提交后的页面查看源代码根据关键字tiehua查找源代码中的tiehua前后的<”>’是否已经被转义成
<">&apos 如果未被转义说明这个输入框存在xss漏洞的嫌疑(提交bug)。
对于富文本输入框输入<img onerror=”alert(123)” src=http://xxx.com>提交页面
如果页面有出现排版问题或者js错误说明这个输入框存在xss漏洞的嫌疑(提交bug)。
链接带参数的如:
http://mall.taobao.com/?ad_id=&am_id=&cm_id=&pm_id=
该链接包含了4个参数,对于这种的测试方法和输入框测试方法一样只不过把参数当成你的输入框进行
提交。如:
http://mall.taobao.com/?ad_id=<”tiehua’>&am_id=&cm_id=&pm_id=
另:可能大家会说光这点不足以说服开发修改bug,很可惜本文旨在说明如何找到xss漏洞并不是说明
如何利用xss漏洞,感兴趣的看情况线下交流呵呵。
黑盒工具测试
推荐工具
- Paros(免费)
- Acunetix.Web.Vulnerability.Scanner (商业工具)
白盒代码扫描测试
在上一篇中我们讲到了xss漏洞产生的代码原因和解决方法如:
<span>$!productName</span>
此类的非富文本代码我们可以强制要求规范为:
<span> $!stringEscapeUtil.escapeHtml ($!productName)</span>
对于富文本的我们可以强制要求代码规范为通过过滤层过滤。
根据以上的两条规则,我们可以从白盒代码上去进行静态扫描代码是否按照规范编写来预防和筛选xss漏洞。
在网上看到一个贴子,是说利用16进制输出所有中文,例子如下:
PHP代码
- <?php
- $begin = hexdec ( " 4e00 " );
- $end = hexdec ( " 9fa5 " );
- $a = '["' ;
- for ( $i = $begin ; $i <= $end ; $i ++ ) {
- $a .= ' \u ' . dechex ( $i );
- if ( $i % 10 == 0 ) {
- $a .= " <br> " ;
- }
- }
- $a .= ' "] ' ;
- print_r (json_decode( $a ));
- ?>
看到这个例子,相信也能看得出了,那两个数字是不是与网上那种正则判断中文的很象啊。
由于json_encode转换中文时会把中文全部转换成16进制,这样在输出的时候就不会因为浏览器的字符集不支持而出现问题。所以同样的,利用decode也就相当于把这些16进制转换成中文了。其实并不需要这么复杂,只要在前面加上&#后面加上;就可以输出中文了。
看到这样的代码后想起昨天一个根据.net程序改的读取中文字的拼音的程序。
PHP代码
- <?php
-
-
- $strVal = array(
- -20319,-20317,-20304,-20295,-20292,-20283,-20265,-20257,-20242,-20230,-20051,-20036,
- -20032,-20026,-20002,-19990,-19986,-19982,-19976,-19805,-19784,-19775,-19774,-19763,
- -19756,-19751,-19746,-19741,-19739,-19728,-19725,-19715,-19540,-19531,-19525,-19515,
- -19500,-19484,-19479,-19467,-19289,-19288,-19281,-19275,-19270,-19263,-19261,-19249,
- -19243,-19242,-19238,-19235,-19227,-19224,-19218,-19212,-19038,-19023,-19018,-19006,
- -19003,-18996,-18977,-18961,-18952,-18783,-18774,-18773,-18763,-18756,-18741,-18735,
- -18731,-18722,-18710,-18697,-18696,-18526,-18518,-18501,-18490,-18478,-18463,-18448,
- -18447,-18446,-18239,-18237,-18231,-18220,-18211,-18201,-18184,-18183, -18181,-18012,
- -17997,-17988,-17970,-17964,-17961,-17950,-17947,-17931,-17928,-17922,-17759,-17752,
- -17733,-17730,-17721,-17703,-17701,-17697,-17692,-17683,-17676,-17496,-17487,-17482,
- -17468,-17454,-17433,-17427,-17417,-17202,-17185,-16983,-16970,-16942,-16915,-16733,
- -16708,-16706,-16689,-16664,-16657,-16647,-16474,-16470,-16465,-16459,-16452,-16448,
- -16433,-16429,-16427,-16423,-16419,-16412,-16407,-16403,-16401,-16393,-16220,-16216,
- -16212,-16205,-16202,-16187,-16180,-16171,-16169,-16158,-16155,-15959,-15958,-15944,
- -15933,-15920,-15915,-15903,-15889,-15878,-15707,-15701,-15681,-15667,-15661,-15659,
- -15652,-15640,-15631,-15625,-15454,-15448,-15436,-15435,-15419,-15416,-15408,-15394,
- -15385,-15377,-15375,-15369,-15363,-15362,-15183,-15180,-15165,-15158,-15153,-15150,
- -15149,-15144,-15143,-15141,-15140,-15139,-15128,-15121,-15119,-15117,-15110,-15109,
- -14941,-14937,-14933,-14930,-14929,-14928,-14926,-14922,-14921,-14914,-14908,-14902,
- -14894,-14889,-14882,-14873,-14871,-14857,-14678,-14674,-14670,-14668,-14663,-14654,
- -14645,-14630,-14594,-14429,-14407,-14399,-14384,-14379,-14368,-14355,-14353,-14345,
- -14170,-14159,-14151,-14149,-14145,-14140,-14137,-14135,-14125,-14123,-14122,-14112,
- -14109,-14099,-14097,-14094,-14092,-14090,-14087,-14083,-13917,-13914,-13910,-13907,
- -13906,-13905,-13896,-13894,-13878,-13870,-13859,-13847,-13831,-13658,-13611,-13601,
- -13406,-13404,-13400,-13398,-13395,-13391,-13387,-13383,-13367,-13359,-13356,-13343,
- -13340,-13329,-13326,-13318,-13147,-13138,-13120,-13107,-13096,-13095,-13091,-13076,
- -13068,-13063,-13060,-12888,-12875,-12871,-12860,-12858,-12852,-12849,-12838,-12831,
- -12829,-12812,-12802,-12607,-12597,-12594,-12585,-12556,-12359,-12346,-12320,-12300,
- -12120,-12099,-12089,-12074,-12067,-12058,-12039,-11867,-11861,-11847,-11831,-11798,
- -11781,-11604,-11589,-11536,-11358,-11340,-11339,-11324,-11303,-11097,-11077,-11067,
- -11055,-11052,-11045,-11041,-11038,-11024,-11020,-11019,-11018,-11014,-10838,-10832,
- -10815,-10800,-10790,-10780,-10764,-10587,-10544,-10533,-10519,-10331,-10329,-10328,
- -10322,-10315,-10309,-10307,-10296,-10281,-10274,-10270,-10262,-10260,-10256,-10254
- );
- $strPy = array(
- "A","Ai","An","Ang","Ao","Ba","Bai","Ban","Bang","Bao","Bei","Ben",
- "Beng","Bi","Bian","Biao","Bie","Bin","Bing","Bo","Bu","Ba","Cai","Can",
- "Cang","Cao","Ce","Ceng","Cha","Chai","Chan","Chang","Chao","Che","Chen","Cheng",
- "Chi","Chong","Chou","Chu","Chuai","Chuan","Chuang","Chui","Chun","Chuo","Ci","Cong",
- "Cou","Cu","Cuan","Cui","Cun","Cuo","Da","Dai","Dan","Dang","Dao","De",
- "Deng","Di","Dian","Diao","Die","Ding","Diu","Dong","Dou","Du","Duan","Dui",
- "Dun","Duo","E","En","Er","Fa","Fan","Fang","Fei","Fen","Feng","Fo",
- "Fou","Fu","Ga","Gai","Gan","Gang","Gao","Ge","Gei","Gen","Geng","Gong",
- "Gou","Gu","Gua","Guai","Guan","Guang","Gui","Gun","Guo","Ha","Hai","Han",
- "Hang","Hao","He","Hei","Hen","Heng","Hong","Hou","Hu","Hua","Huai","Huan",
- "Huang","Hui","Hun","Huo","Ji","Jia","Jian","Jiang","Jiao","Jie","Jin","Jing",
- "Jiong","Jiu","Ju","Juan","Jue","Jun","Ka","Kai","Kan","Kang","Kao","Ke",
- "Ken","Keng","Kong","Kou","Ku","Kua","Kuai","Kuan","Kuang","Kui","Kun","Kuo",
- "La","Lai","Lan","Lang","Lao","Le","Lei","Leng","Li","Lia","Lian","Liang",
- "Liao","Lie","Lin","Ling","Liu","Long","Lou","Lu","Lv","Luan","Lue","Lun",
- "Luo","Ma","Mai","Man","Mang","Mao","Me","Mei","Men","Meng","Mi","Mian",
- "Miao","Mie","Min","Ming","Miu","Mo","Mou","Mu","Na","Nai","Nan","Nang",
- "Nao","Ne","Nei","Nen","Neng","Ni","Nian","Niang","Niao","Nie","Nin","Ning",
- "Niu","Nong","Nu","Nv","Nuan","Nue","Nuo","O","Ou","Pa","Pai","Pan",
- "Pang","Pao","Pei","Pen","Peng","Pi","Pian","Piao","Pie","Pin","Ping","Po",
- "Pu","Qi","Qia","Qian","Qiang","Qiao","Qie","Qin","Qing","Qiong","Qiu","Qu",
- "Quan","Que","Qun","Ran","Rang","Rao","Re","Ren","Reng","Ri","Rong","Rou",
- "Ru","Ruan","Rui","Run","Ruo","Sa","Sai","San","Sang","Sao","Se","Sen",
- "Seng","Sha","Shai","Shan","Shang","Shao","She","Shen","Sheng","Shi","Shou","Shu",
- "Shua","Shuai","Shuan","Shuang","Shui","Shun","Shuo","Si","Song","Sou","Su","Suan",
- "Sui","Sun","Suo","Ta","Tai","Tan","Tang","Tao","Te","Teng","Ti","Tian",
- "Tiao","Tie","Ting","Tong","Tou","Tu","Tuan","Tui","Tun","Tuo","Wa","Wai",
- "Wan","Wang","Wei","Wen","Weng","Wo","Wu","Xi","Xia","Xian","Xiang","Xiao",
- "Xie","Xin","Xing","Xiong","Xiu","Xu","Xuan","Xue","Xun","Ya","Yan","Yang",
- "Yao","Ye","Yi","Yin","Ying","Yo","Yong","You","Yu","Yuan","Yue","Yun",
- "Za", "Zai","Zan","Zang","Zao","Ze","Zei","Zen","Zeng","Zha","Zhai","Zhan",
- "Zhang","Zhao","Zhe","Zhen","Zheng","Zhi","Zhong","Zhou","Zhu","Zhua","Zhuai","Zhuan",
- "Zhuang","Zhui","Zhun","Zhuo","Zi","Zong","Zou","Zu","Zuan","Zui","Zun","Zuo"
- );
-
- function getPy ( $string )
- {
- global $strVal,$strPy;
- $py = '';
- $strLen = strLen( $string );
- for ( $ii = 0; $ii < $strLen; $ii++ ){
- $s = ord( $string[$ii] );
- if ( $s > 160 ){
- $ii++;
- $ss = ord( $string[$ii] );
- $_ss = $s * 256 + $ss - 65536;
- if ( $_ss == -9254 ){
- $py .= "Zhen";
- }else{
- foreach ( $strVal as $_k => $_v ){
- $_index = $_v > $_ss ? ($_k-1) : ($_v == $_ss ? $_k : 0 );
- if ( $_index ){
- $py .= $strPy[$_index];
- break;
- }
- }
- }
- }else{
- $py .= " {$string[$ii]} ";
- }
- }
- return $py;
- }
这是根据网上的例子改写而来,其实BUG不少,作业的作,是认不出的。还有GBK的字符也是认不出拼音的(好象GBK里的一些特殊字符的拼音规则和上面的数组并不一致)
不过,这些都算是我的备份吧。呵呵,同样,如果对拼音要求不高的朋友也可以拿来用用。
在使用swfupload上传文件的时候,老是绕不过登录验证。查了一下GOOGLe,没查到,问了百度,他告诉我答案:
swfuplaod在上传时,会新开一个进程,和原来的进程不一致,要解决这个问题,需要指定session_id,然后在登录页面判断,如果有post过来的session_id,那么就用函数session_id( $_POST['PHP_SESSIONID'])指定一下。
上传页的JS里面,可以获取当前的SESSION_ID的。
例如上传页的JS中:
post_params: {"PHPSESSID": "<?php echo session_id(); ?>"},
在验证的判断页中:
if (isset($_POST["PHPSESSID"])) {
session_id($_POST["PHPSESSID"]);
}
(这一段是网上的注释:在带有Session验证的网站后台中SWFUpload无法正常工作,这是因为SWFUpload在上传时相当于重新开辟了一个新的Session 进程,因此无法与原有程序的Session保持一致,这就需要在上传时传递原有程序的SessionID,根据它来“找回”其应有的Session。)