怎样才能防止网站被入侵

1.危险性的上传漏洞

1. Dangerous upload vulnerabilities
这个也要分三类:
This also needs to be divided into three categories:
一类是上传的地方无任何身份验证，而且可以直接上传木马。
One type is that the uploaded location does not have any authentication and can be directly uploaded to a Trojan.
一类是只是注册一个账户就可以上泥杆 保定古筝 塑料增韧剂 拱形护坡模具 保定空调维修  托辊生产线传的，然后上传的地方也没有做好过滤。
One type is simply registering an account to upload, and the upload location is not properly filtered.
一类是管理员后台的认证上传的。
One type is uploaded through authentication in the administrator's backend.
当然有的上传可以直接上传脚本木马，有的经过一定的处理后才可以上传脚本木马。无论怎样这是很多攻击者都是通过上传拿下网站的权限。
Of course, some uploads can directly upload script trojans, while others can only upload script trojans after certain processing. Regardless, many attackers obtain website permissions by uploading.
2.注入漏洞
2. Injection vulnerability
各种脚本的注入漏洞利用方法跟权限都有所差异。危险的可以直接威胁到服务器系统权限。普通的注入可以爆出数据库里面的账户信息。从而得到管理员的密码或其他有利用的资料。如果权限高点可以直接写入webshell，读取服务器的目录文件，或者直接加管理账户，执行替换服务等等攻击。
The injection vulnerability exploitation methods and permissions of various scripts vary. Dangerous can directly threaten server system permissions. Ordinary injection can reveal account information in the database. To obtain the administrator's password or other useful information. If the permissions are high, you can directly write to the webshell, read the server's directory file, or directly add a management account, execute replacement services, and other attacks.
3.中转注入，也叫cookie中转注入
3. Relay injection, also known as cookie relay injection
本来这个要归于楼上那一类，但是我单自列出来了。有些程序本身或者外加的防注入程序都只是过滤了对参数的post或者get。而忽略了cookie。所以攻击者只要中转一下同样可以达到注入的目的。
Originally, this was supposed to belong to the upstairs category, but I listed it separately. Some programs themselves or additional anti injection programs only filter posts or gets for parameters. And ignored cookies. So the attacker can also achieve the purpose of injection by simply transitioning.
4.数据库写入木马
4. Database Write Trojan
也就是以前可能有些程序员认为mdb的数据库容易被下载，就换成asp或者asa的。但是没有想到这么一换，带来了更大的安全隐患。这两种格式都可以用迅雷下载到本地的。更可怕的是，攻击者可以一些途径提交一句话木马，插入到数据库来，然后用工具连接就获得权限了。
In the past, some programmers may have thought that mdb databases were easy to download, so they switched to ASP or asa. But I didn't expect such a change to bring greater safety hazards. Both formats can be downloaded locally using Thunderbolt. Even more terrifying is that attackers can submit a sentence to a Trojan horse through some means, insert it into the database, and then use tools to connect to obtain permissions.
5.数据库备份
5. Database backup
这其实是很多网站后台的一个功能，本意是让各位管理员备份数据库。但是攻击者通过这个来把自己上传带后门的图片木马的格式改成真正的木马格式。从而得到权限。记得之前有个网站系统数据库备份的那个页面没有管理认证，那危害就更大了。有的网站数据库备份虽然有限制，但是还是被某些特殊情况突破了。比如攻击者可以备份的格式
This is actually a feature in the backend of many websites, originally intended to allow administrators to back up their databases. But attackers use this to change the format of their uploaded images with backdoors to the true Trojan format. In order to obtain permission. Remember that there was a website system where the database backup page was not managed and authenticated, which made the harm even greater. Although some website databases have limitations in backup, they are still broken through by certain special circumstances. For example, the format that attackers can backup