table of Contents
Apache file name resolution vulnerability (under 5.2.x) (info.php.x bypassed)
File name resolution vulnerability (time.asp;1.jpg)
Directory parsing vulnerability (1.asp/time.jpg)
PHP-CGI parsing vulnerability (IIS 7.0 (info.png/.php))
1. Null byte vulnerability (nginx/0.7.65) (/info.png%00.php)
2. File name logic vulnerability-CVE-2013-4547 (1.4.2) (info.png[0x20][0x00].php)
![2. File name logic vulnerability-CVE-2013-4547 (1.4.2) (info.png[0x20][0x00].php)](#2.%20%E6%96%87%E4%BB%B6%E5%90%8D%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E-CVE-2013-4547%EF%BC%881.4.2%EF%BC%89%28info.png%5B0x20%5D%5B0x00%5D.php%29){kind=link}
These vulnerabilities are used in conjunction with file upload vulnerabilities, which is a perfect match.
Apache file name resolution vulnerability (under 5.2.x) (info.php.x bypassed)
There is a parsing vulnerability in version 5.2.x. Take the fourth level of upload-labs as an example. This vulnerability is particularly useful for bypassing file upload restrictions.
When the file extension is changed to info.php.x, the upload is successful. If it is observed that the Apache version of the response package is 2.2.25, there is a parsing vulnerability
Change the suffix to .x to bypass
IIS6.0 parsing vulnerability
File name resolution vulnerability (time.asp;1.jpg)
IIS 6.0 after the semicolon will not be parsed. That is, time.asp;1.jpg is executed as a time.asp file.
We create a folder upload under the website wwwroot, and create a file time.asp in the folder. The content is <%=time()%>. The time will be displayed when the script is executed. We then create a file with the same content, time.asp;1 .jpg. When visiting time.asp;1.jpg, it was found to be executed
It ran our script
Directory parsing vulnerability (1.asp/time.jpg)
IIS6.0, create a folder named *.asp, *.asa, *.cer, *.cdx under the website, then any file with extension in the directory will be interpreted as an asp file by IIS And execute. For example, create a directory 1.asp, then the file time.jpg under 1.asp will be executed as an asp file
PHP-CGI parsing vulnerability (IIS 7.0 (info.png/.php))
This is not a vulnerability of iis but a vulnerability of CGI. Info.png/.php can be executed when /.php is added after the file name to be accessed. For example, when we visit info.png/.php, it can be parsed.
Nginx parsing vulnerability
1. Null byte vulnerability (nginx/0.7.65) (/info.png%00.php)
/info.png%00.php1. Affected version
- 0.5 <= version <= 0.7.65
- 0.8 <= 0.8.37
2. File name logic vulnerability-CVE-2013-4547 (1.4.2) (info.png[0x20][0x00].php)
This can be reproduced using vulhub
Access path info.png[0x20][0x00].php can be parsed