我有一個被多次攻擊的服務器。刪除幾乎所有東西后,現在我只有一些靜態文件(html,js,jpg),只有一個php返回一個JSON數組(甚至不是<?php ?>
)。完全可以是.json
。能夠注入僅包含PHP文件返回的JSON的主機嗎?
是否有可能讓某些黑客無論如何注入代碼? 我的託管支持堅持認爲它是。我真的懷疑,但他們不想承擔任何責任。任何想法?
(很抱歉,如果這個職位不遵循任何規則)
這裏聊天:
Chat ID: 41409607 Initial Question: Injections keep coming even I only have a single php file.. can you scan, please? Maybe there is a cron or something hidden?
10:18:49 PM Chuck R Hello Mario, this is Chuck with Sitelock. usually this can happen with URL injection.
10:19:15 PM Mario Morales againt what?
10:19:26 PM Mario Morales I have only static pages
10:19:41 PM Mario Morales and a php that returns a string. No code on it
10:20:04 PM Mario Morales :(
10:21:24 PM Chuck R There is a page, meaning it can be injected.
10:23:46 PM Mario Morales even it has only a JSON on it?
10:24:02 PM Chuck R Yes, unfortunately.
10:24:18 PM Chuck R The only way for a site not be hacked is to not have it, or for it to be parked.
10:26:17 PM Mario Morales Really?
10:26:26 PM Mario Morales First time I heard that
10:27:42 PM Chuck R Yes. Definitely is unfortunate but it's the way it is.
10:29:01 PM Mario Morales I can't find an example of how a php file containing only "[{key:value},{key:value}]" can be injected.
10:29:05 PM Mario Morales but ok
10:29:39 PM Mario Morales Let me copy the chat and ask on some forum
10:29:45 PM Chuck R Well it's happening.
PHP文件中的代碼是什麼? –
爲什麼你的php文件有json格式的數據?是不是它自己的問題?我只是好奇,只有'[{key:value},{key:value}]'可以駐留在php文件中。 – coderodour
@coderodour如果你沒有輸入'<?php',那麼本質上它只是原始數據,比如'.html'或'.json'。 –