发布时间 : 星期四 文章计算机在线考试系统的安全漏洞及对策更新完毕开始阅读d4de6300bf23482fb4daa58da0116c175f0e1e31
在线考试系统的安全漏洞及对策
总计:毕业论文 51 页
插 图 0 幅 表 格 0 表
指导教师: 张长君 评 阅 人: 完成日期: 2006年5月31日
摘要
随着网络技术的飞速发展,现在很多国外的大学和社会其他部门都已经开设了远程教育,通过计算机网络实现异地教育和培训。现在,计算机硬件技术的发展已经达到了相当高的水平。但是,远程教育软件的开发目前还处于起步阶段,随着这项技术的不断深入发展,就要求有更好、更完善的软件系统应用到远程教育当中去,目前面向网络编程、数据库访问的多种技术中,比如JSP、PHP、ASP 中,ASP 以其开发周期短、存取数据简单、运行速度快而成为众多web 程序员的首选开发技术.但由于开发手段的直观、快速和高效,也带来了一定的安全隐患。数据库是在线考试系统的基础,通常都保存着重要的信息。大多数教育部门和学校的电子数据都保存在各种数据库中,他们用这些数据库保存一些个人资料,比如学生成绩等。在线考试系统数据库服务器还掌握着敏感的数据,包括考试的时间和考题。数据完整性和合法存取会受到很多方面的安全威胁,包括密码策略、系统后门、数据库操作以及本身的安全方案。但是在线考试系统数据库通常没有象操作系统和网络这样在安全性上受到重视。安全对于在线考试系统更为重要,本文以目前基于Web 的信息系统最常用的ASP+SQL Server 2000为例,探讨在线考试系统中可能存在的安全隐患,并给出相应的建议。
关键词:ASP;SQL Server 2000;安全漏洞;对策
I
ABSTRACT
Flying technically along with the network to develop soon, the university of now a lot of abroad all have set up with the social other section the long range educates, passing the calculator network realizes foreign land education with train. Now, the technical development in hardware in calculator has come to a very high horizontal. But, the long range educate the development of the software to still be placed in the stage in start now, along with this technical continuously thorough development, will beg the better and more perfect software system apply to the long range the education center go to, face to now the network plait distance, database visit in various techniques, for example in the JSP, PHP, ASP, ASP with its development cycle short, access data simple, run - time velocity quick and become the head of numerous the member of web procedures chooses to develop the technique. but because of development the means keeps the view, fleetness with efficiently, also brought the certainly safe hidden trouble. The database is the foundation of the on-line examination system, usually all keeping the important information. Educate the section to keep with the electron data of the school all mostly in every kind of database, they keep the some personal data with these databases, for example student score etc. The on-line examination system database server still controls the impressionable data, including the time of the examination with the subject of examination. The data integrity access and would suffer with the legality very in many ways of the safety threatens, including the password strategy, the back door of system, database the operation and oneself of safe project. But the wire examination system database usually has no elephant operate system to suffer to value on the safety like this with the network. The on-line examination system for safety is more important, this text with current according to Web the most in common use ASP in system in information+ SQL Server 2000 for a safe hidden trouble for, inquiring into on-line examination system inside possible to be existence, and give the homologous suggestion.
Key words:ASP;SQL Server 2000;Security Hole;Countermeasure
II
目录
1.绪论 ......................................................... 1
1.1本文研究的目的和意义 .................................... 1 1.2文献综述 ................................................ 1 1.2.1ASP简述 ......................................................................................... 1 1.2.2SQL Server 2000简述 ................................................................. 2
2.ASP漏洞分析和解决方法 ........................................ 3
2.1在ASP程序后加个特殊符号,能看到ASP源程序 .............. 3 2.2ACCESS 数据库有可能被下载的漏洞 .......................... 4 2.3code.asp文件会泄漏ASP代码 .............................. 5 2.4file system object 组件篡改下载fat分区上的任何文件的漏洞 6 2.5输入标准的HTML语句或者javascript语句会改变输出结果 .... 6 2.6ASP程序密码验证漏洞 ..................................... 7 2.7INDEX SERVER服务会漏洞ASP源程序 ........................ 8 2.8存在后门允许用户查看ASP文件源程序和下载整个网站 ........ 9 2.9IIS4.0受HTTP的D.O.S攻击漏洞 ........................... 9 2.10IIS5.0超长URL拒绝服务漏洞 ............................ 10 2.11请求不存在的idq或ida 文件会暴露服务器的物理地址 ...... 10 2.12NT Index Server存在返回上级目录的漏洞 ................. 11 2.13绕过验证直接进入ASP页面 .............................. 12 2.14IIS4.0/5.0特殊数据格式的URL请求远程DOS攻击 .......... 13 2.15IIS Web Server DOS ..................................... 14 2.16MS ODBC数据库连接溢出导致NT/9x拒绝服务攻击 ........... 14 2.17ASP主页.inc文件泄露问题 ............................... 16 2.18利用Activer server explorer可对文件进行读写访问 ...... 17 2.19IIS4.0/IIS5.0超长文件名请求存在漏洞 ................... 18 3.SQL Server 2000的安全漏洞 ................................... 20
3.1使用安全的密码策略 ..................................... 20 3.2使用安全的帐号策略 ..................................... 20
III