全方位金流API技術文件:CDN 特殊字完規則說明
電文內容避免使用下列執行系統指令/工具的字詞:
- ‘net localgroup’ (Windows command to modify local groups)
- ‘net.exe’ (Windows Net command)
- ‘nmap.exe’ (NMap executable for Windows)
- ‘nc.exe’ (NetCat executable for Windows)
- ‘traceroute’ and ‘tracert’ (Traceroute utility)
- ‘telnet.exe’ (Windows Telnet client)
- ‘tclsh’ and ‘tclsh8’ (Simple shell / TCL interpreter)
- ‘tftp’ (Trivial FTP client)
- ‘wguest.exe’ (Webcom Guestbook CGI – contains a known command injection vulnerability)
- ‘wsh.exe’ (Windows Script Host)
- ‘rcmd.exe’ (Windows NT remote command utility)
- ‘ftp.exe’ (Windows FTP client)
- ‘echo’ (Shell echo command)
- ‘cmd32.exe’ or ‘cmd.exe’ (Windows command shell)
- ‘cmd’ with the ‘/c’ switch (Windows command shell)
- ‘cd’ and a trailing slash (/) or backslash (), or a trailing double-dot (..)
- ‘chmod’ with the ‘+x’ switch (Unix change file mode)
電文內容避免使用下列Shell 相關的字符來附加於原始輸入的指令,
字符包括分號 ( ; ),pipe ( | ), 反引號( ` ):
- ‘chgrp’
- ‘chmod’
- ‘chown’
- ‘csh’
- ‘cmd’
- ‘cpp’
- ‘passwd’
- ‘python’
- ‘perl’
- ‘ping’
- ‘ps’
- ‘nasm’
- ‘nmap’
- ‘nc’
- ‘finger’
- ‘ftp’
- ‘kill’
- ‘mail’
- ‘xterm’
- ‘rm’
- ‘ls’
- ‘lsof’
- ‘telnet’
- ‘uname’
- ‘echo’
- ‘id’
- ‘g++’
- ‘gcc’