Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Nó có thể yêu cầu một số cái nhìn sâu sắc vào máy chủ cơ sở dữ liệu mục tiêu của bạn (có thể không biết đến kẻ tấn công), bạn nên trở thành quen thuộc với phần mở rộng SQL và các thủ tục lưu trữ mà máy chủ cụ thể của bạn thực hiện. Ví dụ, Microsoft SQL Server có một lưu trữ | 464 Chapter 12 Spoofing Attacks on Trusted Identity Most of the Web serves entire streams of data without so much as a blink to clients whose only evidence of their identity can be reduced down to a single HTTP call GET . That s a period to end the sentence not an obligatory Slashdot reference. This is an obligatory Slashdot reference. The GET call is documented in RFCs RFC1945 and is public knowledge. It is possible to have higher levels of authentication supported by the protocol and the upgrade to those levels is reasonably smoothly handled. But the base public access system depends merely on one s knowledge of the HTTP protocol and the ability to make a successful TCP connection to port 80. Not all protocols are as open however. Through either underdocumentation or restriction of sample code many protocols are entirely closed. The mere ability to speak the protocol authenticates one as worthy of what may very well represent a substantial amount of trust the presumption is if you can speak the language you re skilled enough to use it. That doesn t mean anyone wants you to unfortunately. The war between open source and closed source has been waged quite harshly in recent times and will continue to rage. There is much that is uncertain however there is one specific argument that can actually be won. In the war between open protocols versus closed protocols the mere ability to speak to one or the other should never ever ever grant you enough trust to order workstations to execute arbitrary commands. Servers must be able to provide something maybe even just a password to be able to execute commands on client machines. Unless this constraint is met a deployment of a master server anywhere conceivably allows for control of hosts everywhere. Who made this mistake Both Microsoft and Novell. Neither company s client software with the possible exception of a Kerberized Windows 2000 network does any authentication on the domains they are logging in to beyond verifying that