摘要
敏感目录是指目标服务器上存在含有敏感名称的目录,这些目录中可能包含了大量的敏感文件和信息。利用该漏洞,攻击者可全面了解目标服务器的网站架构,甚至获取敏感文件中的敏感信息,从而得到目标服务器的控制权,实施进一步攻击。论文介绍了敏感目录漏洞及其危害,对HTTP协议及URL进行分析,设计并实现了以字典为检测标准的自动化检测脚本,判断指定主机是否存在该漏洞,并在实际测试中被成功应用。
Sensitive paths are paths on the target server that contain sensitive names,which may contain a large number of sensitive files and information.Using this vulnerability,attackers can fully understand the target server's site architecture,and even access sensitive information in sensitive files to gain control of the target server for further attacks.This paper introduces the sensitive paths vulnerability and its effects,analyzes the HTTP protocol and URL,designs and implements the automated detection script based on the dictionary which is successfully applied in the actual test to judge whether the server exists the vulnerability.
作者
李晨阳
陈吟
樊云
王镜琅
雷敏
Li Chen-yang;Chen Yin;Fan Yun;Wang Jing-lang;Lei Min(School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876;National Engineering Laboratory for Disaster Recovery Technology, Beijing 100876;Sichuan Kerui Software Co., Ltd., SichuanMianyang 621000)
出处
《网络空间安全》
2018年第1期69-73,共5页
Cyberspace Security
基金
国家科技支撑计划(项目编号:2015BAH08F02)
