Fortune Telling Collection - Comprehensive fortune-telling - Why does the web penetrate the source code written in php now?

Why does the web penetrate the source code written in php now?

First, the PHP language itself has many loopholes, especially many people don't like to use the latest version. Now that PHP8 has been released, there are still a large number of people using PHP5.2. The earlier the version, the more loopholes there are. The more loopholes, the easier it is to be infiltrated.

Second, the PHPweb framework has many loopholes. Thinkphp, the most commonly used PHP framework in China, often explodes various serious vulnerabilities, such as the remote executable command vulnerability of 5.x, which leads to a large number of websites using this framework. This vulnerability can be easily exploited, and a program can infect a large number of websites at will. Some people use this loophole to get countless broilers.

On the other hand, Javaweb, most people will use sprint family bucket. The security authentication provided by SpringMVC and Springsecurity is very powerful.

Although Spring has some loopholes, I don't remember a fool-like loophole that is very easy to use and can easily get the highest authority.

Inferior php has the most source codes on the third online. Many people simply have no ability to program independently. What these so-called "programmers" like to do most is to download all kinds of free source code on the Internet and then modify it, even if they make their own websites.

This kind of free source code is mostly PHP. DedeCMS, xxshop, xxmall, Wei Meng, the junk PHP source code here is full of holes. It can be said that it is the favorite of hackers. The website with the most junk source code can be invaded by any middle school student, which is no different from streaking.

At the same time, programmers who will use these junk codes to make websites are generally not too tall, and it is reasonable to say that they are not even an introduction to programming. These so-called programs naturally can't stop hackers from invading.

Fourth, many people have poor safety awareness. No matter what language you use to make a website, most of you have to run a Nginx, apache or IIS outside the website program. Even if Java and Nginx are used for reverse proxy and static processing, there are many frameworks that tomcat follows.

Generally speaking, many people are either unskilled or lazy. They don't compile tomcat or apache by themselves, but use the one-click installation package ready-made on the Internet or fool the installer. These programs may have PHP support installed by default.

In other words, javaweb written by some programmers with weak security awareness or poor level is likely to support PHP.

When many people claim for invasion, no matter what website you are, they will try whether PHP can be implemented first, and the probability of invasion is relatively high.

Regarding the last question, if you find a loophole in Javaweb, you can upload the file, and the next step is to raise the right. It is useless for you to upload Java source code directly at this time. Php is dynamically executed, the source code can be directly executed, and Java needs to be compiled.

If you want to claim the upload permission, you must first find out the jre version of the other server, then compile it locally with the corresponding version, and then upload the jar package before execution.

There is another difference. Generally speaking, php only needs to get the upload permission of the root directory of the website. However, Javaweb is likely that the root directory of the website and the directory where the executable jar package is stored are not the same directory. If you want to execute Java code, you must try to get the upload permission of the directory where the jar package is located (and also get the root directory permission of the website), which is a difficult point.